| 1. |
VASPs must create and implement a policy which outlines their procedures for the protection of their electronic systems and client and counterparty data stored on those systems [Cybersecurity Policy]. VASPs must submit their Cybersecurity Policy to VARA for assessment as part of the licensing process and at any subsequent time upon request from VARA. |
| 2. |
VASPs must ensure that their Cybersecurity Policy is reviewed and updated at least annually by their CISO. |
| 3. |
VASPs must ensure that their Cybersecurity Policy contains sound procedures and security mechanisms in accordance with best industry practices that will enable them to comply with all applicable information security, data protection and data privacy laws and regulations, including but not limited to Part II of this Technology and Information Rulebook and the PDPL, whilst maintaining the confidentiality of data at all times. The Cybersecurity Policy must address the following minimum criteria—
|
| |
a. |
information security; |
| |
b. |
data governance and classification; |
| |
c. |
access controls; |
| |
d. |
capacity and performance planning; |
| |
e. |
systems operations and availability concerns; |
| |
f. |
systems and network security, consensus protocol methodology, code and smart contract validation and audit processes; |
| |
g. |
systems and application development and quality assurance; |
| |
h. |
physical security and environmental controls, including but not limited to procedures around access to premises and systems; |
| |
i. |
procedures regarding their facilitation of Virtual Asset transactions initiated by a client including, but not limited to. considering multi-factor authentication or any better standard for Virtual Asset transactions that—
|
| |
|
i. |
exceed transaction limits set by the client, such as accumulative transaction limits over a period of time; and |
| |
|
ii. |
are initiated after a change of personal details by the client, such as the address of a VA Wallet;
|
| |
j. |
procedures regarding client authentication and session controls including, but not limited to, the maximum incorrect attempts for entering a password, appropriate time-out controls and password validity periods; |
| |
k. |
procedures establishing adequate authentication checks when a change to a client’s account information or contact details is requested; |
| |
l. |
in addition to all applicable requirements in Part II of this Technology and Information Rulebook, client data privacy, including but not limited to—
|
| |
|
i. |
the security and authentication of the means of transfer of information; |
| |
|
ii. |
the minimisation of the risk of data corruption and unauthorised access to data; and |
| |
|
iii. |
the prevention of information leakage;
|
| |
m. |
vendor and third-party service provider management; |
| |
n. |
monitoring and implementing changes to core protocols not directly controlled by the VASP, as applicable; |
| |
o. |
incident response, including but not limited to root cause analysis and rectification activities to prevent reoccurrence; |
| |
p. |
supplier probity and Staff vetting procedures; |
| |
q. |
governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including but not limited to responses to ransomware and other forms of cyberattacks; and |
| |
r. |
hardware and infrastructure standards, including but not limited to network lockdown, services/desktop security and firewall standards.
|