| 1. |
VASPs must engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing [including, to the extent relevant to the VASP’s business and VA Activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts] at least on an annual basis and prior to the introduction of any new systems, applications and products. VASPs must provide the results of any such assessments and tests to VARA upon VARA’s request. |
| 2. |
VASPs should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, on a regular basis and on request by VARA, VASPs must perform—
|
| |
a. |
security testing on both infrastructure and applications; and |
| |
b. |
internal system and external system vulnerability audits.
|
| 3. |
Evidence of tests and audits must be documented by VASPs and made immediately available by them for inspection by VARA upon request. |
| 4. |
VASPs shall ensure that they are regularly audited by independent auditors to examine their management processes for ensuring the effectiveness of their systems, controls, policies and procedures and their compliance with regulatory requirements. VASPs must provide the results of any such audit to VARA upon VARA’s request.
|