| 1. |
VASPs must ensure that they implement systems and controls necessary to address the risks, including cybersecurity-related risks, to their business and VA Activities. Such systems and controls should take into account a number of factors including, the nature, scale and complexity of the VASP’s business, the diversity of its operations, the volume and size of its transactions and the level of risk inherent with its business. |
| 2. |
VASPs must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in their business model and VA Activities. The technology governance and risk assessment framework should apply to all technologies relevant to a VASP’s business and VA Activities and clearly set out the VASP’s cybersecurity objectives, including the requirements for the competency of Staff and, as relevant, end users and clients and clearly defined systems and procedures necessary for managing risks. |
| 3. |
VASPs must ensure that their technology governance and risk assessment is capable of determining the necessary processes and controls that they must implement in order to adequately mitigate any risks identified. In particular, VASPs must ensure that their technology governance and risk assessment framework includes consideration of international standards and industry best practice codes. |
| 4. |
VASPs must ensure that their technology governance and risk assessment framework addresses appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing. |
| 5. |
As prescribed by Rule I.I.1 of this Technology and Information Rulebook, VASPs must appoint a Chief Information Security Officer who is responsible for ensuring that the VASP complies with Part I and Part III of this Technology and Information Rulebook.
|