After the news emerged last week that Chinese cybersecurity regulators had cracked down on the ride-sharing firm DiDi Global shortly after the company completed its U.S. IPO, the company was hit with a U.S. securities class action lawsuit. However, DiDi was not the only Chinese company that recently completed a U.S. IPO that was targeted by the Chinese regulator. Two other Chinese companies that completed U.S. IPOs in June – Full Truck Alliance Co. Ltd. and Kanshun Limited – were both also notified that their companies were under review by the cybersecurity regulator. And now both of these companies have also been hit with U.S. securities class action lawsuits, as discussed below.
Full Truck Alliance Co. Ltd.
Full Truck Alliance Co. Ltd. (FTA) operates a digital platform that connects shippers with truckers to facilitate shipments with China. In 2017, FTA acquired to other digital freight platforms, Yunmanman and Huochebang. The company is organized under the laws of the Caymans Islands and located in Guiyang, China. The company completed its U.S. IPO on June 23, 2021. Its securities are listed on the NYSE.
On July 5, 2021, FTA issued a press release announcing that the Cybersecurity Review Officer (CRO) of the Cyberspace Administration of China (CAC) had itself announced on July 5, 2021 that the CRO had “initiated a cybersecurity review of FTA’s Yunmanman apps and Huocheband apps.” The press release stated further that “in order to facilitate review and prevent the expansion of potential risks, these mobile apps are required to suspend new user registration in China during the review period.” The press release stated that FTA is cooperating with the review and also conduction a “comprehensive self-examination of any potential cybersecurity risks and will continue to improve its cybersecurity systems and technology capabilities.” According to the subsequently filed securities class action lawsuit complaint, FTA’s share price fell 6% on this news.
On July 12, 2021, a plaintiff investor filed a securities class action lawsuit in the Eastern District of New York against FTA; certain of its directors and officers; and its offering underwriters. A copy of the complaint can be found here. The complaint purports to be filed on behalf of person who acquired FTA’s securities pursuant or traceable to the registration statement issued in connection with FTA’s June 2021 U.S. IPO.
The class action complaint quotes extensively from FTA’s registration statement filed in connection with the IPO. Several pages of the complaint consist of nothing more than block quotations from the registration statement. The complaint also cites the company’s July 5, 2021 press release about the Chinese cybersecurity regulator’s review of the company’s practices.
The complaint alleges with respect to the registration statement, “rather than disclose the specific known concerns and issues with the Company’s practices and apparent non-compliance with relevant technology laws, the Registration Statement merely discussed the material importance to investors of China’s regulatory regime with regards to data security.” The risk disclosures, the complaint alleges, were “materially misleading” because they “failed to disclose” the Company’s “non-compliance” with relevant regulations” and the “potential penalties for their non-compliance – including a suspension of new user additions during a cybersecurity review.”
The complaint alleges that the statements from the registration statement reference in the complaint were misleading because they misrepresented or failed to disclose that: “(1) FTA’s apps Yunmanman and Huochebang would face an imminent cybersecurity review by the CAC; (2) the CAC would require FTA to suspend new user registration; (3) FTA needed to conduct a ‘comprehensive self-examination of any cybersecurity risks’; (4) FTA needed to ‘continue to improve its cybersecurity systems and technology capabilties’; and (5) as a result Defendants’ public statements were materially false and misleading at all relevant times and negligently prepared.”
The complaint alleges that the defendants violated Section 11, 12(a)(2), and 15 of the Securities Act of 1933. The complaint seeks to recover damages on behalf of the plaintiff class.
The Kanzhun Limited Lawsuit
Kanzhun is an online employment recruiting platform operating in China. The company is organized under the laws of the Cayman Islands and based Beijing, China. The company completed a U.S. IPO on June 11, 2021.
On July 5, 2021, Kanzhun issued a press release stating that pursuant to a July 5, 2021 announcement of the Cyberspace Administration of China, the company is “subject to cybersecurity review” by the authority. During the review, the company’s BOSS Zhipin app “is required to suspend new user registration in China to facilitate the process.” The press release states that the company is cooperating fully with the authority, and that the company plans to “conduct a comprehensive examination of cybersecurity risks and continue to enhance its cybersecurity awareness and technology capabilities.” The subsequently filed securities class action complaint alleges that the company’s share price declined 15% on the news.
On July 12, 2021, a plaintiff investor filed a securities class action lawsuit in the District of New Jersey against the company and certain of its executives. A copy of the complaint can be found here. The complaint purports to be filed on behalf of a class of investors who purchased the company’s securities between June 11, 2021 and July 2, 2021.
Like the complaint filed against FTA, the complaint filed against Kanzhun quotes extensively from the registration statement the company issued in connection with its June 2021 IPO. The complaint also cites the July 5, 2021 press release referring to the cybersecurity review. Several pages of the complaint consist of nothing more than block quotations from the registration statement and prospectus.
The complaint states that the registration statement contained statements that were materially false or misleading because they misrepresented or failed to disclose that “(1) Kanzhun would face an imminent cybersecurity review by the CAC; (2) the CAC would require Kanzhun to suspend new user registration on its BOSS Zhipen app; (3) Kanzhun needed to conduct a ‘comprehensive examination of cybersecurity risks’; (4) Kanzhun needed to enhance its cybersecurity awareness and technology capabilities’; and (5) as a result, Defendants’ statements about is business, operations, and prospects, were materially false and misleading and/or lacked a reasonable basis at all relevant times.”
The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.
Discussion
With these two new lawsuits now a series of Chinese companies that recently completed U.S. IPOs and that post-IPO were targeted by the Chinese cybersecurity regulator have been hit with U.S. securities class action lawsuits. One common thread between these two new lawsuits and at least one of the complaints previously filed against DiDi that they were all filed by the same law firm. All three of the lawsuits are remarkably similar, with the perhaps significant difference that in the case of DiDi the complaint includes allegations that prior to DiDi’s U.S. IPO Chinese authorities had warned the company to hold off on the IPO but that under pressure from investors the company had gone ahead with the offering anyway. There are no such allegations against the company defendants in the two most recently filed securities lawsuits.
As noted above, both of the two new complaints share a common feature, in that large parts of the complaints consist of nothing more than block quotations from the company’s respective registration statements. Whatever the plaintiffs’ lawyers’ intent may have been with respect to these block quotations, the effect for any reader will be to provide impressive evidence of how thorough and comprehensive the precautionary disclosure was in the registration statements.
Both registration statements cite the comprehensive nature of the Chinese cybersecurity laws; the active and aggressive approach of the Chinese cybersecurity regulator and the regulator’s past action involving the company’s cybersecurity; the unpredictability of the regulator’s approach to regulation; and the extent of harm the company could experience if the regulator were to crackdown or if the company were to experience a cybersecurity incident. I have to say that based on reading the complaints and their extensive quotations from the company’s registration statements, it is going to be an uphill battle for the plaintiffs to try to establish that investors were misled – except perhaps for their failure to predict in advance the regulator’s post IPO crackdown.
There are a number of interesting features to these two complaints. For starters, the FTA complaint alleges only ’33 Act violations (and names the offering underwriters as defendants), whereas the Kanzhun complaint alleges only ’34 Act violations (and does not name the offering underwriters as defendants). I suspect this difference in approach has to do with the fact that FTA’s stock price drop following the bad news disclosure took the price of the company’s securities below the offering price, whereas the drop in Kanzhun’s securities price did not take the price below the offering price.
Another interesting thing about these two new complaints, along with the prior complaint filed against DiDi, is that the illustrate how cybersecurity regulatory issues can lead to D&O claims. There have of course been D&O claims arising from cybersecurity incidents for some time now. The interesting twist on the pattern in these new lawsuits is that it does not appear that there was a cybersecurity incident as such; instead, the D&O claims arose after the cybersecurity regulator raised concerns about the defendant company’s cybersecurity protocols and protections. Clearly, increased regulator scrutiny of cybersecurity issues could lead to further D&O claims.
To be sure, the actions of the regulator do not reflect generalized concerns about cybersecurity issues; the concerns seem focused particularly on issues surrounding Chinese companies that recently completed U.S. securities offerings. There obviously is more going on here than just a cybersecurity crackdown. The Chinese government is clearly focused on companies that are completed offshore offerings, and using cybersecurity regulation as the means to manage its concerns. Media reports have explicitly stated that the Chinese government is using its regulation of cybersecurity to monitor and oversee U.S.-listed Chinese companies. And the scrutiny is not just focused on companies that have completed offerings; for example, on July 12, 2021, ByteDance Ltd., the Chinese owner of the Internet video company TikTok, indefinitely put on hold its plans to complete an overseas offering later this year after government officials told the company to focus on addressing data-security risks.
In any event, these new lawsuits, like the prior suit against DiDi, highlight the fact that there is a substantial component of political risk involved in doing business in, and investing in companies that do business in, China. The fact that political officials and financial regulators might intervene in markets underscores the fact that the political dimension of China’s economy can never be disregarded. These events put a huge asterisk beside the market capitalization and business prospects of any company doing business in China.