Skip to main content
Entire section Custom print Text Only Rich Text Print

  • Part I – Technology Governance, Controls and Security

    • A. Technology Governance and Risk Assessment Framework

      1.VASPs must implement a technology governance and risk assessment framework, capable of determining defined policies underpinned by the necessary processes, procedures and controls that the VASP must implement, in order to adequately mitigate the risks identified (“Technology Governance and Risk Assessment Framework”).
      2.VASPs must ensure that they implement all policies, processes, procedures and controls necessary to address risks to the VASP's business and VA Activities covered in the Technology Governance and Risk Assessment Framework using appropriate methods, including defence-in-depth approaches for cybersecurity-related risks. Such policies, processes, procedures and controls should take into account a number of factors including, the nature, scale and complexity of the VASP’s business, the diversity of its operations, the volume and size of its transactions, and the level of risk inherent with its business.
      3.The Technology Governance and Risk Assessment Framework must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in the VASP's business model and VA Activities. The Technology Governance and Risk Assessment Framework should apply to all technologies relevant to a VASP’s business and VA Activities and clearly set out—
       
       a.the VASP’s cybersecurity objectives, including the requirements for the competency of Staff and, as relevant, end users and clients; and
       b.clearly defined policies, processes, procedures and controls necessary for managing risks, including, but not limited to, consideration of international standards and industry best practice codes.
       
      4.VASPs must ensure that their Technology Governance and Risk Assessment Framework addresses appropriate governance policies and system development controls, including but not limited to—
       
       a.a development, maintenance and testing process for technology systems;
       b.operations controls;
       c.back-up controls;
       d.capacity and performance planning; and
       e.availability testing.
       
      5.VASPs must monitor, assess and maintain the effectiveness of their Technology Governance and Risk Assessment Framework. In particular, VASPs must review, update and arrange for the testing of their policies, processes, procedures and controls aimed at managing risks on a periodic basis, having regard to the macroeconomic environment in which the VASP operates, as well as emerging technology risks relating to their systems and consideration of international standards and industry best practice codes.
      6.VARA has provided Guidance, in Schedule 1 of this Technology & Information Rulebook, on the categories of risk, the risk mitigation measures and standards that a VASP's Technology Governance and Risk Assessment Framework should cover when complying with the Rules in this Part I of the Technology & Information Rulebook.
      7.As prescribed by Rule I.I.1 of this Technology and Information Rulebook, VASPs must appoint a Chief Information Security Officer who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook.
       

    • B. Cybersecurity Policy

      1.VASPs must create and implement a policy which outlines their procedures for the protection of their electronic systems and client and counterparty data stored on those systems (“Cybersecurity Policy”). VASPs must submit their Cybersecurity Policy to VARA for assessment as part of the licensing process and at any subsequent time upon request from VARA.
      2.VASPs must ensure that their Cybersecurity Policy is reviewed and updated at least annually by their CISO.
      3.VASPs must ensure that their Cybersecurity Policy contains sound procedures and security mechanisms in accordance with best industry practices that will enable them to comply with all applicable information security, data protection and data privacy laws and regulations, including but not limited to Part II of this Technology and Information Rulebook and the PDPL, whilst maintaining the confidentiality of data at all times. The Cybersecurity Policy must address the following minimum criteria—
       
       a.information security;
       b.data governance and classification;
       c.access controls;
       d.capacity and performance planning;
       e.systems operations and availability concerns;
       f.systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;
       g.systems and application development and quality assurance;
       h.physical security and environmental controls, including but not limited to procedures around access to premises and systems;
       i.procedures regarding their facilitation of Virtual Asset transactions initiated by a client including, but not limited to, considering multi-factor authentication or any better standard for Virtual Asset transactions that—
       
        i.exceed transaction limits set by the client, such as accumulative transaction limits over a period of time; and
        ii.are initiated after a change of personal details by the client, such as the address of a VA Wallet;
       
       j.procedures regarding client authentication and session controls including, but not limited to, the maximum incorrect attempts for entering a password, appropriate time-out controls and password validity periods;
       k.procedures establishing adequate authentication checks when a change to a client’s account information or contact details is requested;
       l.in addition to all applicable requirements in Part II of this Technology and Information Rulebook, client data privacy, including but not limited to—
       
        i.the security and authentication of the means of transfer of information;
        ii.the minimisation of the risk of data corruption and unauthorised access to data; and
        iii.the prevention of information leakage;
       
       m.vendor and third-party service provider management;
       n.monitoring and implementing changes to core protocols not directly controlled by the VASP, as applicable;
       o.incident response, including but not limited to root cause analysis and rectification activities to prevent reoccurrence;
       p.supplier probity and Staff vetting procedures;
       q.governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including but not limited to responses to ransomware and other forms of cyberattacks; and
       r.hardware and infrastructure standards, including but not limited to network lockdown, services/desktop security and firewall standards; and
       s.sharing cyber threat information and intelligence with other VASPs and/or Entities—
       
        i.whenever such action is in the best interests of the Virtual Asset market as a whole, to enhance operational resilience, manage the threat and, where practicable, minimise and/or mitigate the impact of such threat; and
        ii.provided that, sharing such information does not increase any risks to the VASP and/or mandate the exposure of confidential information relating to the VASP sharing such information.
       

    • C. Cybersecurity – other Legal and Regulatory Obligations

      1.VASPs must ensure that their Technology Governance and Risk Assessment Framework complies with, to the extent applicable, cybersecurity laws, regulatory requirements and guidelines, including but not limited to—
       
       a.the electronic security requirements and standards adopted by the Dubai Electronic Security Center per Law No. (9) of 2022 Regulating the Provision of Digital Services Provided in the Emirate of Dubai;
       b.the Federal-Decree Law No. (45) of 2021 on the Protection of Personal Data, its executive regulations and any other cybersecurity regulatory requirements as may be imposed by the UAE Data Office from time to time; and
       c.the Consumer Protection Regulation issued pursuant to Central Bank Notice No. (444) of 2021 and any other cybersecurity regulatory requirements as may be imposed by the CBUAE from time to time.
       

    • D. Cryptographic Keys and VA Wallets Management

      1.VASPs must ensure that their Technology Governance and Risk Assessment Framework addresses, to the extent necessary, the generation of cryptographic keys and VA Wallets, the signing and approval of transactions, the storage of cryptographic keys and seed phrases, VA Wallet creation and management thereof.
      2.VASPs must—
       
       a.safeguard access to Virtual Assets in accordance with industry best practices and, in particular, ensure that there is no single point of failure in the VASP’s access to, or knowledge of, Virtual Assets held by the VASP;
       b.adopt industry best practices for storing the private keys of clients, including ensuring that keys stored online or in any one physical location are insufficient to conduct a Virtual Asset transaction, unless appropriate controls are in place to render physical access insufficient to conduct such Virtual Asset transaction. VASPs must further ensure that backups of the key and seed phrases are stored in a separate location from the primary key and/or seed phrase;
       c.adopt strict access management controls to manage access to keys, including an audit log detailing each change of access to keys. In particular, if Staff with access to a key (including a multi-signature arrangement key) leaves the employment of that VASP, the VASP must conduct an assessment to determine whether a new key must be generated;
       d.adopt procedures designed to immediately revoke a key signatory’s access. In particular, a VASP must—
       
        i.ensure that the key generation process ensures that revoked signatories do not have access to the backup seed phrase or knowledge of the phrase used in the key’s creation;
        ii.perform internal audits on a quarterly basis concerning the removal of user access by reviewing access logs and verifying access as appropriate;
        iii.implement and maintain a procedure for documenting the onboarding and offboarding of Staff;
        iv.implement and maintain a procedure for documenting a VASP’s permission to grant or revoke access to each role in its key management system; and
       
       e.regularly assess the security of their information technology systems or software integrations with external parties and ensure that the appropriate safeguards are implemented in order to mitigate all relevant risks.
       
      3.VASPs should provide information to clients on measures they can take to protect their keys and/or seed phrases from misuse or unauthorised access, and the consequences of sharing their private keys and other security information.
      4.VASPs must ensure that access to their systems and data may only be granted to individuals with a demonstrable business need and implement safeguards to ensure the proper identification of all individuals, including the maintenance of an access log.
       

    • E. Testing and Audit

      1.VASPs must engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing (including, to the extent relevant to the VASP’s business and VA Activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts) at least on an annual basis and prior to the introduction of any new systems, applications and products. VASPs must provide the results of any such assessments and tests to VARA upon VARA’s request.
      2.VASPs should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, on a regular basis and on request by VARA, VASPs must perform—
       
       a.security testing on both infrastructure and applications; and
       b.internal system and external system vulnerability audits.
       
      3.Evidence of tests and audits must be documented by VASPs and made immediately available by them for inspection by VARA, upon VARA’s request.
      4.VASPs shall ensure that they are regularly audited by independent auditors to examine their management processes for ensuring the effectiveness of their processes, procedures and controls, and their compliance with regulatory requirements. VASPs must provide the results of any such audit to VARA upon VARA’s request.
      5.VARA may notify a VASP that it is required to carry out advanced testing by means of TLPT, where VARA considers it necessary and proportionate to do so, taking into account the following factors–
       
       a.any specific risks to which a VASP is or might be exposed;
       b.the criticality of a VASP's business and/or VA Activities; and
       c.any other relevant risks.
       
      6.All TLPTs required under Rule I.E.5 must be carried out in accordance with the following conditions—
       
       a.each TLPT is to be carried out by an external tester;
       b.TLPTs may be required by VARA to cover Critical or Important Functions of a VASP and, where required, be performed on live production systems, technologies and processes supporting such Functions;
       c.where it is necessary for third-party service providers of the VASP to be included in the scope of a TLPT, the VASP shall ensure the participation of such third-party service providers in the TLPT;
       d.VASPs shall mitigate the risks of testing including any potential impact on data, damage to assets, and disruption to Critical or Important Functions, services or operations at the VASP itself or to counterparts, and with due security assurance of data and privacy of client assets;
       e.at the end of the testing, the VASP (together with the external tester) shall produce a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with all relevant requirements as stated herein; and
       f.the VASP shall promptly provide all documentation relating to the TLPT to VARA, including the summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with all relevant requirements as stated herein.
       
      7.VASPS must ensure that the external testers they use to carry out any TLPT—
       
       a.are suitable and of good repute;
       b.possess all necessary technical and organisational capabilities and demonstrate specific expertise in threat intelligence and penetration testing;
       c.are certified by an accreditation body, or adhere to formal codes of conduct or ethical frameworks;
       d.provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of the TLPT, including the due protection of the VASP’s confidential information; and
       e.are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
       
      8.VASPs shall ensure that contracts concluded with external testers—
       
       a.require sound management of the TLPT results and any data processing thereof, including any generation, storage, aggregation, draft, report, communication or destruction; and
       b.do not create additional risks for the VASP or any of its systems.
       
      9.Third-party technology service providers. Where the participation of a third-party technology service provider is required in any TLPT, as referred to in Rule I.E.6.c, the VASP and the third-party technology service provider may agree that such third-party technology service provider directly enters into contractual arrangements with the external tester appointed by the VASP under Rule I.E.6.a, if such participation is reasonably expected to have an adverse impact on—
       
       a.the quality or security of services delivered by such third-party technology service provider to the market; or
       b.on the confidentiality of the data related to such services.
       
      10.In the event that a third-party technology service provider directly enters into contractual arrangements with the external tester appointed by the VASP for a TLPT under Rule I.E.9, the VASP notified by VARA to carry out the TLPT must ensure that—
       
       a.the third-party technology service provider remains under the direction of the VASP;
       b.the results shall cover the relevant range of services supporting Critical or Important Functions of the VASP notified by VARA; and
       c.all results provided by the third-party technology service provider to the external tester must be a fair representation of, and specific to, the VASP.
       

    • F. Virtual Asset Transactions

      1. VASPs must implement controls that prevent the manipulation or coordinated collusion or attacks of automated systems.
      2. In addition to all applicable requirements in the Compliance and Risk Management Rulebook, VASPs must implement and maintain distributed ledger tracing software to screen incoming and outgoing Virtual Asset transactions and VA Wallet addresses. How VASPs will respond to any Suspicious Transactions must be set out in their AML/CFT policies in accordance with the Compliance and Risk Management Rulebook.
       

    • G. Algorithm Governance

      1.If a VASP conducts VA Activities using algorithms (in whole or in part), it must establish policies and procedures that enable its Board and Senior Management to have robust oversight and control over the design, testing, performance, deployment and ongoing maintenance of such algorithms.
      2.VASPs must maintain documentation and records of the design, testing, performance, deployment and ongoing maintenance of such algorithms, including but not limited to the logic used by the algorithm, any data or assumptions upon which decisions are based and any potential or actual biases in such data or assumptions and any results produced by the algorithm.
      3.VASPs must ensure that they have qualified and competent Staff to ensure the proper functioning and supervision of such algorithms on an ongoing basis.
       

    • H. Business Continuity, Cybersecurity Events and Risk

      1.VASPs must implement, maintain, test and update on an annual basis an adequate Business Continuity and Disaster Recovery Plan (“BCDR Plan”) to minimise disruption to their operations. The BCDR Plan must address, but not be limited to—
       
       a.events that may trigger the implementation of the BCDR Plan, such as cybersecurity events and technical failures, and procedures to be taken to assess the nature, scope and impact of the event;
       b.resource requirements, including but not limited to Senior Management and Staff, systems and other assets;
       c.recovery priorities for the VASP’s operations, including but not limited to the preservation of essential data and critical functions and the maintenance of those data and functions;
       d.communication arrangements for affected internal and external parties;
       e.processes to validate the integrity of information affected by any interruption;
       f.procedures to mitigate operational impact and/or to transfer operational functions including, but not limited to, escalation of response and recovery activities to designated personnel and management;
       g.an alternative site sufficient to recover and continue operations for a reasonable period; and
       h.procedures to remediate identified and/or exploited vulnerabilities or upgrade relevant protocols once stable operations are resumed to prevent similar events.
       
      2.The BCDR Plan should take into consideration and address factors and issues specific to Virtual Assets and DLT including, but not limited to, network malfunction, loss of data or compromise in data integrity, and key storage and maintenance of authorisation layers.
       

    • I. Chief Information Security Officer and Management

      1.VASPs must appoint a Chief Information Security Officer (“CISO”) who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook. The CISO must be a separate individual from the CO however the CISO may also take on the responsibilities of the Data Protection Officer under Rule II.B.2 of this Technology and Information Rulebook.
      2.The CISO must be of sufficiently good standing and appropriately experienced.
      3.Senior Management must regularly assess and review the effectiveness of the VASP’s processes, procedures and controls in relation to the VASP’s compliance with this Technology and Information Rulebook and all applicable laws and regulatory requirements, as well as allocate duties and apportion roles and responsibilities within the VASP to prevent conflicts of interests.
       

    • J. Staff Competency

      1.In addition to relevant requirements in the Compliance and Risk Management Rulebook, VASPs must ensure that all Staff are aware of the latest cybersecurity risks and developments (including those specific to Virtual Assets and DLT), taking into account the type and level of cyber risks that they may face in their respective roles.
       

    • K. Notification to VARA

      1.In addition to relevant requirements in the Compliance and Risk Management Rulebook, upon the detection of any occurrence of (i) a material cybersecurity event or (ii) an event triggering the implementation of the BCDR Plan that materially impacts a VASP’s business operations, the VASP shall report such event to VARA as soon as reasonably practicable, and in any event no later than seventy-two (72) hours from detection, with all relevant details of the nature, scope and impact of such event and the steps the VASP is or will be taking to mitigate such impact including, but not limited to, whether any notifications or reports have been made to authorities other than VARA.