| 1. | VASPs must implement, maintain, test and update on an annual basis an adequate Business Continuity and Disaster Recovery Plan (“BCDR Plan”) to minimise disruption to their operations. The BCDR Plan must address, but not be limited to—
|
| | a. | events that may trigger the implementation of the BCDR Plan, such as cybersecurity events and technical failures, and procedures to be taken to assess the nature, scope and impact of the event; |
| | b. | resource requirements, including but not limited to Senior Management and Staff, systems and other assets; |
| | c. | recovery priorities for the VASP’s operations, including but not limited to the preservation of essential data and critical functions and the maintenance of those data and functions; |
| | d. | communication arrangements for affected internal and external parties; |
| | e. | processes to validate the integrity of information affected by any interruption; |
| | f. | procedures to mitigate operational impact and/or to transfer operational functions including, but not limited to, escalation of response and recovery activities to designated personnel and management; |
| | g. | an alternative site sufficient to recover and continue operations for a reasonable period; and |
| | h. | procedures to remediate identified and/or exploited vulnerabilities or upgrade relevant protocols once stable operations are resumed to prevent similar events.
|
| 2. | The BCDR Plan should take into consideration and address factors and issues specific to Virtual Assets and DLT including, but not limited to, network malfunction, loss of data or compromise in data integrity, and key storage and maintenance of authorisation layers.
|