Skip to main content

K. Notification to VARA

1. In addition to relevant requirements in the Compliance and Risk Management Rulebook, upon the detection of an occurrence of a cybersecurity event or other event triggering the implementation of the BCDR Plan that materially impacts a VASP’s business operations, the VASP shall report such event to VARA as soon as reasonably practicable, and in any event no later than seventy-two [72] hours from detection, with all relevant details of the nature, scope and impact of such event and the steps the VASP is or will be taking to mitigate such impact including, but not limited to, whether any notifications or reports have been made to authorities other than VARA.