| 1. | VASPs must engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing (including, to the extent relevant to the VASP’s business and VA Activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts) at least on an annual basis and prior to the introduction of any new systems, applications and products. VASPs must provide the results of any such assessments and tests to VARA upon VARA’s request. |
| 2. | VASPs should maintain effective internal functions and measures for continuous monitoring of their operations and processes. In particular, on a regular basis and on request by VARA, VASPs must perform—
|
| | a. | security testing on both infrastructure and applications; and |
| | b. | internal system and external system vulnerability audits.
|
| 3. | Evidence of tests and audits must be documented by VASPs and made immediately available by them for inspection by VARA, upon VARA’s request. |
| 4. | VASPs shall ensure that they are regularly audited by independent auditors to examine their management processes for ensuring the effectiveness of their processes, procedures and controls, and their compliance with regulatory requirements. VASPs must provide the results of any such audit to VARA upon VARA’s request. |
| 5. | VARA may notify a VASP that it is required to carry out advanced testing by means of TLPT, where VARA considers it necessary and proportionate to do so, taking into account the following factors–
|
| | a. | any specific risks to which a VASP is or might be exposed; |
| | b. | the criticality of a VASP's business and/or VA Activities; and |
| | c. | any other relevant risks.
|
| 6. | All TLPTs required under Rule I.E.5 must be carried out in accordance with the following conditions—
|
| | a. | each TLPT is to be carried out by an external tester; |
| | b. | TLPTs may be required by VARA to cover Critical or Important Functions of a VASP and, where required, be performed on live production systems, technologies and processes supporting such Functions; |
| | c. | where it is necessary for third-party service providers of the VASP to be included in the scope of a TLPT, the VASP shall ensure the participation of such third-party service providers in the TLPT; |
| | d. | VASPs shall mitigate the risks of testing including any potential impact on data, damage to assets, and disruption to Critical or Important Functions, services or operations at the VASP itself or to counterparts, and with due security assurance of data and privacy of client assets; |
| | e. | at the end of the testing, the VASP (together with the external tester) shall produce a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with all relevant requirements as stated herein; and |
| | f. | the VASP shall promptly provide all documentation relating to the TLPT to VARA, including the summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with all relevant requirements as stated herein.
|
| 7. | VASPS must ensure that the external testers they use to carry out any TLPT—
|
| | a. | are suitable and of good repute; |
| | b. | possess all necessary technical and organisational capabilities and demonstrate specific expertise in threat intelligence and penetration testing; |
| | c. | are certified by an accreditation body, or adhere to formal codes of conduct or ethical frameworks; |
| | d. | provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of the TLPT, including the due protection of the VASP’s confidential information; and |
| | e. | are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
|
| 8. | VASPs shall ensure that contracts concluded with external testers—
|
| | a. | require sound management of the TLPT results and any data processing thereof, including any generation, storage, aggregation, draft, report, communication or destruction; and |
| | b. | do not create additional risks for the VASP or any of its systems.
|
| 9. | Third-party technology service providers. Where the participation of a third-party technology service provider is required in any TLPT, as referred to in Rule I.E.6.c, the VASP and the third-party technology service provider may agree that such third-party technology service provider directly enters into contractual arrangements with the external tester appointed by the VASP under Rule I.E.6.a, if such participation is reasonably expected to have an adverse impact on—
|
| | a. | the quality or security of services delivered by such third-party technology service provider to the market; or |
| | b. | on the confidentiality of the data related to such services.
|
| 10. | In the event that a third-party technology service provider directly enters into contractual arrangements with the external tester appointed by the VASP for a TLPT under Rule I.E.9, the VASP notified by VARA to carry out the TLPT must ensure that—
|
| | a. | the third-party technology service provider remains under the direction of the VASP; |
| | b. | the results shall cover the relevant range of services supporting Critical or Important Functions of the VASP notified by VARA; and |
| | c. | all results provided by the third-party technology service provider to the external tester must be a fair representation of, and specific to, the VASP.
|