Santech Holdings (STEC) Risk Factors

Our services involve the exchange, storage and analysis of highly confidential information, including detailed personal and financial information and medical data regarding our clients, through a variety of electronic and non-electronic means, and our reputation and business operations are highly dependent on our ability to safeguard the confidential personal data and information of our clients. We rely on a network of process and software controls to protect the confidentiality of data provided to us or stored on our systems. We face various security threats on a regular basis, including cyber-security threats to and attacks on our technology systems that are intended to gain access to our confidential information, destroy data or disable our systems. Our medical examination centers, clinics and internet hospitals collect and maintain medical data and treatment records of our clients. PRC laws and regulations generally require medical institutions and their medical personnel to protect the privacy of their customers and prohibit unauthorized disclosure of personal information. Such medical institutions and their medical personnel will be liable for damage caused by divulging the customers' private or medical records without consent. We have taken measures to maintain the confidentiality of our customers' medical records, including encrypting such information in our information technology system so that it cannot be viewed without proper authorization and setting internal rules requiring our employees to maintain the confidentiality of our customers' medical records. However, these measures may not always be effective in protecting our customers' medical records. Our information technology systems could be breached through hacking. Personal information could be leaked due to any theft or misuse of personal information due to misconduct or negligence. In addition, although we do not make the customers' medical records available to the public, we use such data on an aggregated basis after redacting personally identifiable information for marketing purposes. Regulatory authorities in China have implemented, and are considering, a number of legislative and regulatory proposals concerning data protection. For example, the Cyber Security Law of PRC, or the Cyber Security Law, which became effective in June 2017, created China's first national-level data protection for "network operators" which may include all network service providers in China. The PRC Civil Code, which became effective on January 1, 2021, also stipulates that the personal information of a natural person shall be protected by the law. The PRC Data Security Law, which was promulgated by the Standing Committee of the National People's Congress ("SCNPC") on June 10, 2021 and took effect on September 1, 2021, requires data collection to be conducted in a legitimate and proper manner, and stipulates that, for the purpose of data protection, data processing activities must be conducted based on data classification and hierarchical protection system for data security. Furthermore, the recently issued Opinions on Strictly Cracking Down Illegal Securities Activities in Accordance with the Law require (i) speeding up the revision of the provisions on strengthening the confidentiality and archives management relating to overseas issuance and listing of securities and solidifying the primary responsibility for information security of overseas listed companies, and (ii) improving the laws and regulations relating to data security, cross-border data flow, and management of confidential information. In addition, the PRC State Administration for Market Regulation ("SAMR") and the PRC Standardization Administration jointly issued the Standard of Information Security Technology - Personal Information Security Specification (2020 edition), which took effect on October 2020. Pursuant to this standard, any person or entity who has the authority or right to determine the purposes for and methods of using or processing personal information is considered a personal information controller. Such personal information controller is required to collect information in accordance with applicable laws, and except in certain specific events that are expressly exempted in the standard, prior to collecting such data, the information provider's consent is required. On April 19, 2021, the PRC Standardization Administration issued the Information Security Technology - Personal Information Security Measurement and Evaluation Specification in Mobile Internet Applications (Revised Draft for Comments), or the Measures for Mobile Internet Applications, to collect public comments. The deadline for collecting comments is June 18, 2021. Based on the Information Security Technology - Personal Information Security Specification (2020 edition), the Measures for Mobile Internet Applications put forward the personal information security requirements, stipulate the implementation process and evaluation method of App personal information security assessment. To provide reference for identifying App's illegal collection and use of personal information, the Cyberspace Administration of China (CAC), the PRC Ministry of Industry and Information Technology (MIIT), the SAMR and the PRC Ministry of Public Security (MPS), collectively released the Notice on Promulgation of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps, on November 28, 2019, which took effect on the same day. On March 12, 2021, the MIIT, the SAMR and the MPS released the Notice on Promulgation of the Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, effected on May 1, 2021, which stipulates that operators of mobile Internet applications (APPS) shall not deny users access to basic App functions because users do not agree to collect unnecessary personal information. According to Notice on Promulgation of the Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, for the investment and wealth management APPs, the basic functional services include, among others, investment and wealth management services relating to shares, futures, funds, bonds. We are in the process of applying for certificates of cybersecurity with respect to our operating subsidiaries. The compliance with the regulations could be expensive, and the reduction in our ability to collect, transfer and use data due to tightened regulations could also have an adverse effect on our business. Furthermore, the CAC issued the Provisions on the Cyber Protection of Children's Personal Information, which took effect on October 1, 2019. According to these provisions, no person or entity is allowed to produce, release, or disseminate information that infringes upon the personal information security of children aged below 14. Network operators collecting, storing, using, transferring, or disclosing children's personal information are required to enact special protections for such information. The Announcement of Launching Special Crackdown Against Illegal Collection and Use of Personal Information by Mobile Apps was issued with effect on January 23, 2019 and commenced coordinated efforts among the CAC, the MIIT, the MPS, and the SAMR to combat the illegal collection and use of personal information by mobile apps throughout China. On October 31, 2019, the MIIT issued the Notice on the Special Rectification of Mobile Apps Infringing Users' Rights and Interests, pursuant to which application providers were required to promptly rectify issues that the MIIT designated as infringing application users' rights such as collecting personal information in violation of PRC regulations and setting obstacles for user account deactivation. In July 2020, the MIIT issued the Notice on Conducting Special Rectification Actions in Depth Against the Infringement upon Users' Rights and Interests by Applications, to rectify the following issues: (i) illegal collection and use of personal information of users by an application and a software development kit, (ii) setting up obstacles and frequently harassing users, (iii) cheating and misleading users, and (iv) inadequate implementation of application distribution platforms' responsibilities. If we do not take adequate measures to prevent security breaches and maintain adequate internal controls or fail to implement new or improved controls, data, including personal information, could be misappropriated or confidentiality could otherwise be breached. We could be subject to liability if we inappropriately disclose any client's personal information, or if third parties are able to penetrate our network security or otherwise gain access to any client's name, address, portfolio holdings, or other personal information. Any such failure could subject us to claims for identity theft or other similar fraud claims or claims for other misuses of personal information, such as unauthorized marketing or unauthorized access to personal information. In addition, such events would cause our clients to lose their trust and confidence in us, which may result in a material adverse effect on our business, results of operations and financial condition. At the same time, compliance with the regulations could be expensive, and the reduction in our ability to collect, transfer and use data due to increased regulation could also have an adverse effect on our business. In addition, although we believe our current usage of clients' medical records is in compliance with applicable laws and regulations governing the use of such information, any change in such laws and regulations could affect our ability to use medical data and subject us to liability for the use of such data. Failure to protect clients' medical records, or any restriction on or liability as a result of, our use of medical data, could have a material adverse effect on our business.

We distribute a broad variety of wealth management products, including private market investment products ("Private Market Investment Products") and public market investment products ("Public Market Investment Products"), from which we generate distribution commissions, recurring fees and performance-based fees. Through our Hong Kong subsidiaries, we also provide asset management products and derive management fees and performance-based fees, and facilitate sales of insurance products and derive one-time commissions. These products often have complex structures and involve various risks, including default risks, interest risks, liquidity risks, market risks, counterparty risks, fraud risks and other risks. In addition, we are subject to risks arising from any potential misconduct or violation of law by the product providers. Any such misconduct or violation of law may adversely affect the performance of the applicable products that we distribute or facilitate to sell and harm our reputation. Our success depends, in part, on our successful identification and full appreciation of risks associated with such products. Not only must we be cautious about these risks in the design and development of our products and services, we must also accurately describe the risks associated with our products and services to, and evaluate them for, our clients. Our risk management policies and procedures may not be fully effective in mitigating the risk exposure of our clients in all market environments or against all types of risks. If we fail to identify and fully appreciate the risks associated with the products that we distribute or manage, or fail to disclose such risks to our clients in a sufficiently clear manner, our clients may suffer financial loss or other damages. If that occurs, our reputation, client relationship, business and prospects may be materially and adversely affected.

We operate in an increasingly competitive environment and compete for clients on the basis of, among other things, product offering, client services, branch network, reputation and brand name. In the wealth management service industry, we face competition primarily from commercial banks, non-bank traditional financial institutions such as securities firms, asset management firms, trust companies and insurance companies, and non-traditional financial institutions such as other large independent wealth management companies and online wealth management platforms. In addition, there is a risk that we may not successfully identify new product and service opportunities or develop and introduce these opportunities in a timely and cost-effective manner. New competitors that are better adapted to the wealth management services industry may emerge, which could cause us to lose market share in key market segments. Our competitors may have greater financial and marketing resources than we do. For example, the commercial banks we compete with tend to enjoy significant competitive advantages due to their nationwide distribution network, established brand and credibility, and much larger client base and execution capabilities. Moreover, many of the wealth management product providers with whom we currently have relationships, such as fund managers or securities firms, are also engaged in, or may in the future engage in, the distribution of wealth management products and they may benefit from their vertical integration of manufacturing and distribution. In addition, as the markets for medical examination, online medical services and medical aesthetic services are relatively new, rapidly evolving and intensely competitive, we expect competition to continue and intensify in the future. We face competition from other medical examination centers, clinics, online medical platforms, medical aesthetic service providers, other integrated health management services providers and general online e-commerce platforms. We expect competition to intensify in the future as current competitors diversify and improve their service offerings and as new participants enter the market. We cannot assure you that we will be able to compete effectively or efficiently with current or future competitors. They may be acquired by, receive investment from or enter into strategic relationships with established and well-financed companies or investors, which would help enhance their competitiveness. Furthermore, the current competitors and new entrants in the health management industry may also seek to develop new service offerings, technologies or capabilities that could render some of the services we offer obsolete or less competitive, and some of them may adopt more aggressive pricing policies or devote greater resources to marketing and promotional campaigns than we do. More specifically, the medical aesthetic service market in Mainland China faces competition from developed markets such as South Korea, Japan, Hong Kong and Taiwan. The failure of service providers in Mainland China to compete effectively against their overseas counterparts may materially and adversely impact our financial results. The occurrence of any of these circumstances may hinder our growth and reduce our market share, and thus our business, results of operations, financial condition and prospects would be materially and adversely affected.

We currently provide health management services through digital platforms and the "Life Infinity Plus" marketplace. We plan to expand the service scope and capability of our internet hospital. As this is a new business opportunity with which we have little experience, we may not be able to attract and maintain the patients. The future profitability of our internet hospital relies on our capability of building our brand and improving our services and brand awareness. If our new service offerings do not meet users' expectation or if we fail to provide superior user experience or maintain users' trust in our brand, our business and reputation may be adversely affected. Furthermore, the online health management service market is immature and volatile, and if it does not develop, if it develops more slowly than we expect, or if our services do not drive user engagement, the growth of our business will be harmed. In addition, the performance of our internet hospital will rely heavily on our marketing and business developing strategy. The marketing activities of our internet hospital will increase additional operational costs, and we cannot ensure that our marketing activities will achieve the anticipated effect. Any malicious harassment or other unfair competitions will also make our marketing activities less effective. Furthermore, the Administrative Measures on Internet Information Services, which was promulgated by the PRC State Council on September 25, 2000 and amended on January 8, 2011, set out guidelines on the provision of internet information services. It requires that a commercial operator of internet content provision services must obtain a value-added telecommunications business operating license ("ICP License") for the provision of internet information services from the appropriate telecommunications authorities. Any failure, or perceived failure, by us to comply with any applicable regulatory requirements or internet information service-related rules, laws and regulations could result in proceedings or actions against us by governmental entities or others. These proceedings or actions may subject us to significant penalties and negative publicity, require us to change our business model or practices, increase our costs and severely disrupt our business.

Our business is highly dependent on the ability of our information technology systems to timely process a large amount of information of product offering, clients and transactions. The proper functioning of our client transactions and services, sales management, financial control, accounting, and other information technology systems, together with the communication systems between our various wealth service centers and our headquarters in Shanghai, is critical to our business and to our ability to compete effectively. We cannot assure you that our business activities would not be materially disrupted in the event of a partial or complete failure of any of these information technology or communication systems, which could be caused by, among other things, software malfunction, computer virus attacks or conversion errors due to system upgrading. In addition, a prolonged failure of our information technology system could damage our reputation and materially and adversely affect our future prospects and profitability. In addition, as we plan to invest in intelligence client service platform and relationship manager management platform, we cannot assure you that no additional licenses or permits under relevant laws and regulations to own or use such platforms or IT infrastructure would be required, or that we would be able to obtain additional licenses or permits. If we are unable to obtain such licenses or permits, or be forced by governmental authorities to dismantle such infrastructure, we may not be able to recoup our investments and our future prospects and profitability may be materially and adversely affected. In addition, we operate our business primarily in China, and are subject to complex and evolving PRC laws and regulations. For example, we face risks relating to regulatory approvals on overseas listings and oversight on cybersecurity and data privacy. Uncertainties in the PRC legal system and the interpretation and enforcement of PRC laws and regulations could limit the legal protection.

We conduct our business in Mainland China primarily through the VIEs of which we could direct the operational activities in Mainland China through contractual arrangements. Our operations in Mainland China are governed by PRC laws and regulations. The PRC government has significant oversight and discretion over the conduct of our business in Mainland China and may intervene in or influence our operations, which could result in a material adverse change in our operations and/or the value of our ADSs. Also, the PRC government has recently indicated an intent to exert more oversight and control over offerings that are conducted overseas and/or foreign investment in China-based issuers. Any such action could significantly limit or completely hinder our ability to offer or continue to offer securities to investors and could cause our securities to significantly decline in value or become worthless. See "Item 3. Key Information-D. Risk Factors-Risks Related to Doing Business in Mainland China and Hong Kong-The filing with the CSRC and the approval of other PRC government authorities are required in connection with our future offshore offerings under PRC law, which could significantly limit or completely hinder our ability to offer or continue to offer securities to investors and cause the value of such securities to significantly decline in value or become worthless." Therefore, our investors face potential uncertainty from actions taken by the PRC government, which could result in a material adverse change in our operations in China and the value of our ADSs.

Our business could be and has been affected by public health epidemics, such as the outbreak of avian influenza, severe acute respiratory syndrome, or SARS, Zika virus, Ebola virus, the COVID-19 pandemic or other disease. During the first half of 2022, there was an upsurge of COVID-19 cases in China, especially in the city of Shanghai, which was followed by certain restrictive measures to contain the COVID-19 pandemic. In addition, we and our clients experienced limitations in having face-to-face meetings due to quarantine measures and travel bans imposed by the government to contain the spread of this outbreak. Furthermore, although the World Health Organization has declared that the COVID-19 pandemic is no longer a global health emergency and the PRC government has gradually lifted restrictions and quarantine measures in China due to the fact that the pandemic is being contained, there is still great uncertainty as to the future development of the COVID-19 pandemic, which may still affect our work efficiency and productivity and cause delay or cancellation in our offline events, and in turn adversely affect our business. In addition to the impact of the COVID-19 pandemic and other health epidemics, our business could also be materially and adversely affected by natural disasters or other public safety concerns affecting China or elsewhere in the world.