B. Technology and Security
Effective from Feb 07 2023 - Sep 18 2023
To view other versions open the versions tab on the right
1. | Risk assessment and controls. Issuers must ensure that they implement systems and controls necessary to address risks, including but not limited to cybersecurity-related risks, to its Virtual Asset and the issuance of such Virtual Asset. Such systems and controls should address a number of factors, including but not limited to the nature, scale and complexity and the level of risk inherent with the Virtual Asset. | |||
2. | Issuers must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent to all Virtual Assets it issues. The technology governance and risk assessment framework should apply to all technologies relevant to the Virtual Asset. | |||
3. | Issuers must ensure that its technology governance and risk assessment is capable of determining the necessary processes and controls that it must implement in order to adequately mitigate any risks identified. In particular, Issuers must ensure that its technology governance and risk assessment framework includes a consideration of the applicability of international standards or industry best practice codes. | |||
4. | Issuers must ensure that its technology governance and risk assessment framework addresses governance policies and system development controls for ongoing development and maintenance, such as a development, maintenance and testing process, back up controls, capacity and performance planning and availability testing. | |||
5. | Testing and audit. Issuers must engage a qualified and independent third-party auditor to conduct— |
|||
a. | comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts used for the purposes of a Virtual Asset; and | |||
b. | vulnerability assessments and penetration testing. |
|||
6. | Issuers should maintain effective internal functions and measures for continuous monitoring of its operations and processes. In particular, Issuers must perform the following on a regular basis or on request by VARA— |
|||
a. | security testing on both infrastructure and applications; and | |||
b. | internal system and external system vulnerability audits. |
|||
7. | Evidence of tests and audits must be documented by Issuers and made immediately available for inspection by VARA upon request. |