1. | VASPs must implement a technology governance and risk assessment framework, capable of determining defined policies underpinned by the necessary processes, procedures and controls that the VASP must implement, in order to adequately mitigate the risks identified (“Technology Governance and Risk Assessment Framework”). |
2. | VASPs must ensure that they implement all policies, processes, procedures and controls necessary to address risks to the VASP's business and VA Activities covered in the Technology Governance and Risk Assessment Framework using appropriate methods, including defence-in-depth approaches for cybersecurity-related risks. Such policies, processes, procedures and controls should take into account a number of factors including, the nature, scale and complexity of the VASP’s business, the diversity of its operations, the volume and size of its transactions, and the level of risk inherent with its business. |
3. | The Technology Governance and Risk Assessment Framework must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in the VASP's business model and VA Activities. The Technology Governance and Risk Assessment Framework should apply to all technologies relevant to a VASP’s business and VA Activities and clearly set out— |
| a. | the VASP’s cybersecurity objectives, including the requirements for the competency of Staff and, as relevant, end users and clients; and |
| b. | clearly defined policies, processes, procedures and controls necessary for managing risks, including, but not limited to, consideration of international standards and industry best practice codes. |
4. | VASPs must ensure that their Technology Governance and Risk Assessment Framework addresses appropriate governance policies and system development controls, including but not limited to— |
| a. | a development, maintenance and testing process for technology systems; |
| b. | operations controls; |
| c. | back-up controls; |
| d. | capacity and performance planning; and |
| e. | availability testing. |
5. | VASPs must monitor, assess and maintain the effectiveness of their Technology Governance and Risk Assessment Framework. In particular, VASPs must review, update and arrange for the testing of their policies, processes, procedures and controls aimed at managing risks on a periodic basis, having regard to the macroeconomic environment in which the VASP operates, as well as emerging technology risks relating to their systems and consideration of international standards and industry best practice codes. |
6. | VARA has provided Guidance, in Schedule 1 of this Technology & Information Rulebook, on the categories of risk, the risk mitigation measures and standards that a VASP's Technology Governance and Risk Assessment Framework should cover when complying with the Rules in this Part I of the Technology & Information Rulebook. |
7. | As prescribed by Rule I.I.1 of this Technology and Information Rulebook, VASPs must appoint a Chief Information Security Officer who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook. |