| 1. |
VASPs must adopt sufficient procedures and controls to manage the risks relating to their business, VA Activities and systems. In particular, VASPs must implement an audited risk management programme in accordance with applicable laws and regulations [including those related to cybersecurity] and the requirements of VARA from time to time. The risk management programme shall include—
|
| |
a. |
strategies to identify, assess, monitor and manage operational risk; |
| |
b. |
procedures concerning operational risk management; |
| |
c. |
an operational risk assessment methodology; and |
| |
d. |
a risk reporting system for operational risk.
|
| 2. |
VASPs must monitor and assess operational risk management procedures on a continuous basis. In particular, VASPs must review, update and arrange for the testing of their procedures and controls aimed at managing risks on a periodic basis, having regard to the macroeconomic environment in which the VASP operates, as well as emerging technology risks relating to their systems. |
| 3. |
VASPs must implement, maintain, test and update on an annual basis an adequate Business Continuity and Disaster Recovery Plan [BCDR Plan] to minimise disruption to their operations. The BCDR Plan must address, but not be limited to—
|
| |
a. |
events that may trigger the implementation of the BCDR Plan, such as cybersecurity events and technical failures, and procedures to be taken to assess the nature, scope and impact of the event; |
| |
b. |
resource requirements, including but not limited to Senior Management and Staff, systems and other assets; |
| |
c. |
recovery priorities for the VASP’s operations, including but not limited to the preservation of essential data and critical functions and the maintenance of those data and functions; |
| |
d. |
communication arrangements for affected internal and external parties; |
| |
e. |
processes to validate the integrity of information affected by any interruption; |
| |
f. |
procedures to mitigate operational impact and/or to transfer operational functions including, but not limited to, escalation of response and recovery activities to designated personnel and management; |
| |
g. |
an alternative site sufficient to recover and continue operations for a reasonable period; and |
| |
h. |
procedures to remediate identified and/or exploited vulnerabilities or upgrade relevant protocols once stable operations are resumed to prevent similar events.
|
| 4. |
The BCDR Plan should take into consideration and address factors and issues specific to Virtual Assets and DLT including, but not limited to, network malfunction, loss of data or compromise in data integrity, and key storage and maintenance of authorisation layers.
|