Skip to main content

B. Technology and Security

1. Risk assessment and controls. Issuers must ensure that they implement systems and controls necessary to address risks including, but not limited to, cybersecurity-related risks to the Virtual Asset and the issuance of such Virtual Asset. Such systems and controls should address a number of factors including, but not limited to, the nature, scale and complexity and the level of risk inherent with the Virtual Asset.
2. Issuers must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent to all Virtual Assets they issue. The technology governance and risk assessment framework should apply to all technologies relevant to the Virtual Asset.
3. Issuers must ensure that their technology governance and risk assessments are capable of determining the necessary processes and controls that they must implement in order to adequately mitigate any risks identified. In particular, Issuers must ensure that their technology governance and risk assessment frameworks include a consideration of the applicability of international standards, or industry best practice codes.
4. Issuers must ensure that their technology governance and risk assessment frameworks address governance policies and system development controls for ongoing development and maintenance, such as a development, maintenance and testing process, back up controls, capacity and performance planning and availability testing.
5. Testing and audit. Issuers must engage a qualified and independent third-party auditor to conduct—
 
  a. comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts used for the purposes of a Virtual Asset; and
  b. vulnerability assessments and penetration testing.
 
6. Issuers should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, Issuers must perform the following on a regular basis, and as may be requested by VARA—
 
  a. security testing on both infrastructure and applications; and
  b. internal system and external system vulnerability audits.
 
7. Evidence of tests and audits must be documented by Issuers and be made immediately available for inspection by VARA upon request.