SIO-9 Technology Governance & Cyber Security
SIO-9.1 General Requirements
SIO-9.1.1
Stablecoin issuers must have in place clear and comprehensive policies and procedures, from a technology perspective, for the following key areas:
(a) Maintenance and development of systems and architecture (e.g., code version control, implementation of updates, issue resolution, regular internal and third-party testing);(b) Security measures and procedures for the safe storage and transmission of data;(c) Business continuity and client engagement planning in the event of both planned and unplanned system outages;(d) Processes and procedures specifying management of personnel and decision-making by qualified staff; and(e) Procedures for the creation and management of services, interfaces and channels provided by or to third parties (as recipients and providers of data or services).Added: July 2025SIO-9.1.2
Stablecoin issuers must, as a minimum, have in place systems and controls with respect to the following:
(a) Wallets: Procedures describing the creation, management and controls of wallets, including:
i. Wallet setup/configuration/deployment/deletion/backup and recovery;ii. Wallet access privilege management;iii. Wallet user management;iv. Wallet Rules and limit determination, review and update; andv. Wallet audit and oversight.(b) Private keys: Procedures describing the creation, management and controls of private keys, including:
i. Private key generation;ii. Private key exchange;iii. Private key storage;iv. Private key backup;v. Private key destruction; andvi. Private key access management.(c) Origin and destination of approved stablecoins: Systems and controls to mitigate the risk of misuse of approved stablecoins, setting out how:
i. The origin of approved stablecoin is determined, in case of an incoming transaction; andii. The destination of approved stablecoin is determined, in case of an outgoing transaction.(d) Security: A security plan describing the security arrangements relating to:
i. The privacy of sensitive data;ii. Networks and systems;iii. Cloud based services;iv. Physical facilities; andv. Documents, and document storage.(e) Risk management: A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:
i. Operational risks;ii. Technology risks, including ‘hacking’ related risks;iii. Market risk; andiv. Risk of financial crimeAdded: July 2025SIO-9.1.3
The CBB may grant waivers from specific requirements of technology governance and cyber security. A stablecoin issuer seeking waiver from specific requirements must provide in writing, to the satisfaction of the CBB, that the nature, scale and complexity of their business does not require such technology governance and cyber security measures and in absence of such measures there will be no risk of violation of applicable laws, including the CBB law, its regulations, resolutions or directives (including these rules) or risks associated with the integrity of the market and/or interest of clients.
Added: July 2025System Resilience
SIO-9.1.4
Stablecoin issuers must have in place effective systems, procedures and arrangements to ensure that their IT systems are resilient to meet the business requirements.
Added: July 2025SIO-9.1.5
Stablecoin issuers must continuously monitor the utilisation of their system resources against a set of pre-defined thresholds. Such monitoring must facilitate the licensee in carrying out capacity management to ensure IT resources are adequate to meet current and future business needs.
Added: July 2025SIO-9.1.6
Stablecoin issuers must conduct regular testing of resilience of its IT systems to meet its business requirements.
Added: July 2025SIO-9.1.7
A stablecoin issuer’s IT system must be designed and implemented in a manner to achieve the level of system availability that is commensurate with its business needs. Fault-tolerant solutions must be implemented for IT systems which require high system availability and technical glitches must be minimized.
Added: July 2025SIO-9.2 Maintenance and Development of Systems
SIO-9.2.1
Stablecoin issuers must have a clear and well-structured approach for the implementation and upgrade of systems and software.
Added: July 2025SIO-9.2.2
Stablecoin issuers must also have well-established policies and procedures for the regular and thorough testing of any system currently implemented or being considered for use. Stablecoin issuers must ensure that the implementation of new systems, or upgrading of existing systems, is thoroughly checked by multiple members of technology staff.
Added: July 2025SIO-9.2.3
Licensed stablecoin issuers must maintain a clear and comprehensive audit trail for system issues internally, including security issues and those with third parties, and their resolution.
Added: July 2025SIO-9.3 Security Measures and Procedures
SIO-9.3.1
Stablecoin issuers must have measures and procedures in place which comply with network security best practices (e.g., the implementation of firewalls, the regular changing of passwords and encryption of data in transit and at rest). Updates and patches to all systems, particularly security systems, must be performed as soon as safely feasible after such updates and patches have been released.
Added: July 2025SIO-9.3.2
The IT infrastructures must provide strong layered security and ensure elimination of “single points of failure”. Stablecoin issuers must maintain IT infrastructure security policies, describing in particular how strong layered security is provided and how “single points of failure” are eliminated. IT infrastructures must be strong enough to resist, without significant loss to clients, a number of scenarios, including but not limited to accidental destruction or breach of a single facility, collusion or leakage of information by employees/former employees within a single office premise, successful hack of a cryptographic module or server, or access by hackers of any single set of encryption/decryption keys.
Added: July 2025SIO-9.3.3
Stablecoin issuers must regularly test security systems and processes. System components, processes, and custom software must be tested frequently to ensure security controls continue to reflect a changing environment.
Added: July 2025SIO-9.3.4
Stablecoin issuers must have in place policies and procedures that address information security for all staff, sets the security tone for the whole entity and informs staff what is expected of them. All staff should be aware of the sensitivity of data and their responsibilities for protecting it.
Added: July 2025SIO-9.3.5
The encryption of data, both at rest and in transit, including consideration of API security should be included in the security policy. In particular, encryption and decryption of private keys should utilise encryption protocols or use alternative algorithms that have broad acceptance with cyber security professionals. Critical cryptographic functions such as encryption, decryption, generation of private keys, and the use of digital signatures should only be performed within cryptographic modules complying with the highest, and ideally internationally recognised, applicable security standards.
Added: July 2025SIO-9.3.6
Stablecoin issuers must conduct regular security tests of their systems, network, and connections.
Added: July 2025SIO-9.4 Cryptographic Keys and Wallet Storage
SIO-9.4.1
Stablecoin issuers must implement robust procedures and protective measures to ensure the secure generation, storage, backup and destruction of both public and private keys.
Added: July 2025SIO-9.4.2
Stablecoin issuers must use multi-signature wallets e.g. where multiple private keys are associated with a given public key and a subset of these private keys, held by different parties, are required to authorise transactions.
Added: July 2025Private Key Management
SIO-9.4.3
A stablecoin issuer must establish and implement strong internal controls and governance procedures for private key management to ensure all cryptographic seeds and private keys are securely generated, stored and backed up. A stablecoin issuer using a third-party custodian for to hold approved stablecoin must ensure that the third-party custodian establishes and implements such controls and procedures. The procedure must include the following:
(a) The generated seed and private key must be sufficiently resistant to speculation or collusion. The seed and private key should be generated in accordance with applicable international security standards and industry best practices, so as to ensure that the seeds (where Hierarchical Deterministic Wallets, or similar processes, are used) or private keys (if seed is not used) are generated in a nondeterministic manner that ensures randomness so that they are not reproducible. Where practicable, seed and private key should be generated offline and kept in a secure environment, such as a Hardware Security Module (HSM), with appropriate certification for the lifetime of the seeds or private keys;(b) Detailed specifications for how access to cryptographic devices or applications is to be authorised, covering key generation, distribution, use and storage, as well as the immediate revocation of a signatory’s access as required;(c) Access to seed and private key relating to approved stablecoins is tightly restricted among senior management personnel residing in Bahrain, no single person has possession of information on the entirety of the seed, private key or backup passphrases, and controls are implemented to mitigate the risk of collusion among authorised personnel; and(d) Distributed backups of seed or private key is kept so as to mitigate any single point of failure. The backups need to be distributed in a manner such that an event affecting the primary location of the seed or private key does not affect the backups. The backups should be stored in a protected form on external media (preferably HSM with appropriate certification).(e) Distributed backups should be stored in a manner that ensures seed and private key cannot be regenerated based solely on the backups stored in the same physical location. Access control to the backups must be as stringent as access control to the original seed and private key.Added: July 2025SIO-9.5 Planned and Unplanned System Outages
SIO-9.5.1
Stablecoin issuers must have multiple communication channels to ensure that their clients are informed, ahead of time, of any outages which may affect them.
Added: July 2025SIO-9.5.2
Stablecoin issuers must have clear, publicly available, procedures articulating the process in the event of an unplanned outage. During an unplanned outage, licensed stablecoin issuers must be able to rapidly disseminate key information and updates on a frequent basis.
Added: July 2025SIO-9.5.3
Stablecoin issuers should have a programme of planned systems outages to provide for adequate opportunities to perform updates and testing.
Added: July 2025SIO-9.6 Cyber Security
General Requirements
SIO-9.6.1
Stablecoin issuers must establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program must be designed to perform, at the minimum, the following five core cyber security functions:
(a) identify internal and external cyber security risks by, at a minimum, identifying the information stored on the licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;(b) protect the licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;(c) detect system intrusions, data breaches, unauthorized access to systems or information, malware, and other cyber security events;(d) respond to detected cyber security events to mitigate any negative effects; and(e) recover from cyber security events and restore normal operations and services.Added: July 2025SIO-9.6.2
Stablecoin issuers must have a robust cyber security risk management framework that encompasses, at a minimum, the following components:
(a) Cyber security strategy;(b) Cyber security policy; and(c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.Added: July 2025SIO-9.6.3
The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. Broadly, the cyber security risk management framework should be consistent with the licensed stablecoin issuer’s risk management framework.
Added: July 2025SIO-9.6.4
Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:
(a) Key Risk Indicators/ Key Performance Indicators;(b) Status reports on overall cyber security control maturity levels;(c) Status of staff Information Security awareness;(d) Updates on latest internal or relevant external cyber security incidents; and(e) Results from penetration testing exercises.Added: July 2025SIO-9.6.5
Stablecoin issuers may establish a cyber security committee that is headed by an independent senior manager from a control function (like CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.
Added: July 2025Roles and Responsibilities of the Board
SIO-9.6.6
The board must provide oversight and accord sufficient priority and resources to manage cyber security risk, as part of the stablecoin issuer’s overall risk management framework.
Added: July 2025SIO-9.6.7
In discharging its oversight functions, the board must:
(a) Ensure that the licensed stablecoin issuer’s strategy, policy and risk management approach relating to cyber security are presented for the board’s deliberation and approval;(b) Ensure that the approved cyber security risk policies and procedures are implemented by the management;(c) Monitor the effectiveness of the implementation of the stablecoin issuer’s cyber security risk policies and procedures and ensure that such policies and procedures are periodically reviewed, improved and updated, where required. This may include setting performance metrics or indicators, as appropriate, to assess the effectiveness of the implementation of cyber security risk policies and procedures;(d) Ensure that adequate resources are allocated to manage cyber security including appointing a qualified person as Chief Information Security Officer (“CISO”) with appropriate authority to implement the cyber security strategy. The CISO is the person responsible and accountable for the effective management of cyber security;(e) Ensure that the impact of cyber security risk is adequately assessed when undertaking new activities, including but not limited to any new products, investment decision, merger and acquisition, adoption of new technology and outsourcing arrangements;(f) Ensure that the management continues to promote awareness on cyber resilience at all levels within the licensee;(g) Ensure that the board keeps itself updated and is aware of new or emerging trends of cyber security threats and understand the potential impact of such threats to the licensed stablecoin issuer.Added: July 2025Roles and Responsibilities of the Management
SIO-9.6.8
The management is responsible for:
(a) Establishing and implementing cyber security policies and procedures that commensurate with the level of cyber security risk exposure and its impact on the stablecoin issuer. These policies and procedures must take into account the following:
i. The sensitivity and confidentiality of data which the stablecoin issuer maintains;ii. Vulnerabilities of the stablecoin issuer’s information systems and operating environment across the licensee; andiii. The existing and emerging cyber security threats.(b) Ensuring that employees, agents (where relevant) and third-party service providers are aware and understand the cyber security risk policies and procedures, the possible impact of various cyber security threats and their respective roles in managing such threats;(c) Recommending to the board on appropriate strategies and measures to manage cyber security risk, including making necessary changes to existing policies and procedures, as appropriate; and(d) Reporting to the board of any cyber security breaches and periodically update the board on emerging cyber security threats and their potential impact on the stablecoin issuer.Added: July 2025SIO-9.6.9
Management must ensure that:
(a) The stablecoin issuer has identified clear internal ownership and classification for all information assets and data;(b) The stablecoin issuer has maintained an inventory of the information assets and data which is reviewed and updated regularly;(c) Employees responsible for cyber security are adequate to manage the licensed stablecoin issuer’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls; and(d) It provides and requires employees involved in cyber security to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.Added: July 2025SIO-9.6.10
With respect to Paragraph SIO-9.6.9(a), data classification entails analyzing the data the stablecoin issuer retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects should be determined:
(a) Who has access to the data;(b) How the data is secured;(c) How long the data is retained (this includes backups);(d) What method should be used to dispose of the data;(e) Whether the data needs to be encrypted; and(f) What use of the data is appropriate.The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. The owner of data (i.e. the relevant business function) should be involved in such classification.
Added: July 2025Cyber Security Strategy
SIO-9.6.11
An organisation-wide cyber security strategy must be defined and documented to include:
(a) The position and importance of cyber security at the stablecoin issuer;(b) The primary cyber security threats and challenges facing the stablecoin issuer;(c) The stablecoin issuer’s approach to cyber security risk management;(d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;(e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;(f) Approach to planning response and recovery activities; and(g) Approach to communication with internal and external stakeholders, including sharing of information on identified threats and other intelligence among industry participants.Added: July 2025SIO-9.6.12
The cyber security strategy should be communicated to the relevant stakeholders, and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as a reference to support the stablecoin issuer’s cyber security strategy and cyber security policy.
Added: July 2025SIO-9.6.13
Stablecoin issuer’s must implement a written cyber security risk policy setting out the licensee’s Board approved policies and related procedures that are approved by senior management, for the protection of its electronic systems and client data stored on those systems. This policy must be reviewed and approved by the licensee’s board of directors at least annually. The cyber security policy, among others, must address the following areas:
(a) A statement of the stablecoin issuer’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, recovery time objectives and occurrence/severity of cyber security breaches. The statement must also consider the impact on clients, potential negative media publicity, potential regulatory penalties, financial loss etc.;(b) Strategy and measures to manage cyber security risk encompassing prevention, detection and recovery from a cyber security breach;(c) Roles, responsibilities and lines of accountabilities of the board, the board committees, person responsible and accountable for effective management of cyber security risk and key personnel involved in functions relating to the management of cyber security risk (such as information technology and security, business units and operations, risk management, business continuity management and internal audit);(d) Processes and procedures for the identification, detection, assessment, prioritisation, containment, response to, and escalation of cyber security breaches for decision-making;(e) Processes and procedures for the management of outsourcing, system development and maintenance arrangements with third party service providers, including requirements for such third-party service providers to comply with the licensed stablecoin issuer’s cyber security risk policy;(f) Communication procedures that will be activated by the stablecoin issuer in the event of a cyber security breach, which include reporting procedures, information to be reported, communication channels, list of internal and external stakeholders and communication timeline; and(g) Other key elements of the information security and cyber security risk management including the following:
i. information security;ii. data governance and classification;iii. access controls;iv. business continuity and disaster recovery planning and resources;v. capacity and performance planning;vi. systems operations and availability concerns;vii. systems and network security;viii. systems and application development and quality assurance;ix. physical security and environmental controls;x. client data privacy;xi. vendor and third-party service provider management;xii. monitoring and implementing changes to core protocols not directly controlled by the licensee, as applicable;xiii. incident response; andxiv. System audit.Added: July 2025Prevention
SIO-9.6.14
Stablecoin issuers must conduct regular assessments as part of the licensee’s compliance programme to identify potential vulnerabilities and cyber security threats in its operating environment which could undermine the security, confidentiality, availability and integrity of the information assets, systems and networks.
Added: July 2025SIO-9.6.15
The assessment of the vulnerabilities of the stablecoin issuer’s operating environment must be comprehensive, including making an assessment of potential vulnerabilities relating to the personnel, parties with whom a licensee deals with, systems and technologies adopted, business processes and outsourcing arrangements.
Added: July 2025SIO-9.6.16
Stablecoin issuers must develop and implement preventive measures to minimise the licensee’s exposure to cyber security risk.
Added: July 2025SIO-9.6.17
Preventive measures referred to in Paragraph SIO-9.6.16 above must include, at a minimum, the following:
(a) Deployment of End Point Protection (EPP) and End Point Detection and Response (EDR) including anti-virus software and malware programs to detect, prevent and isolate malicious code;(b) Layering systems and systems components;(c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;(d) Rigorous testing at software development stage as well as after deployment to limit the number of vulnerabilities;(e) Penetration testing of existing systems and networks;(f) Use of authority matrix to limit privileged internal or external access rights to systems and data;(g) Use of a secure email gateway to limit email based cyber-attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);(h) Use of a Secure Web Gateway to limit browser based cyberattacks, malicious websites and enforce organization policies;(i) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and(j) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.Added: July 2025SIO-9.6.18
Stablecoin issuers should also implement the following prevention controls in the following areas:
(a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;(b) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network, or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and(c) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.Added: July 2025SIO-9.6.19
Stablecoin issuers must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:
(a) SPF “Sender Policy Framework”;(b) DKIM “Domain Keys Identified Mail”; and(c) DMARC “Domain-based Message Authentication, Reporting and Conformance”.Added: July 2025SIO-9.6.20
Stablecoin issuers should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.
Added: July 2025SIO-9.6.21
Stablecoin issuers must use a single unified private email domain or its subdomains for communication with clients to prevent abuse by third parties. Stablecoin issuers must not utilise third-party email provider domains for communication with clients. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module.
Added: July 2025SIO-9.6.22
For the purpose of Paragraph SIO- 9.6.21, stablecoin issuers with subsidiaries or branches outside Bahrain will be allowed to use additional domains subject to CBB’s review. Licensees may be allowed, subject to CBB’s review, for their clients to receive emails from third-party service providers for specific services offered by such third parties provided the clients were informed and agreed on such an arrangement. Examples of such third-party services include informational subscription services and document management services.
Added: July 2025SIO-9.6.23
Stablecoin issuers must comply with the following requirements with respect to URLs or other clickable links in communications with clients:
(a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of client request or action. Examples of such client actions include verification links for client onboarding, payment links for client-initiated transactions etc.;(b) Refrain from using shortened links in communication with clients;(c) Implement measures to allow clients to verify the legitimacy of the links which may include:
i. clear instructions on the licensee’s website/app where the link is sent as a result of client action on the licensee’s website/app;ii. communication with clients such as a phone call informing the client to expect a link from the licensee;iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the client with the link; andiv. use of other verification measures like OTP, password or biometric authentication.(d) Create client awareness campaigns to educate their clients on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to clients that stablecoin issuers will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result client request or action. Stablecoin issuers may also train their clients by sending fake phishing messages.Added: July 2025Cyber Risk Identification and Assessments
SIO-9.6.24
Stablecoin issuers must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:
(a) Cyber threat entities including cyber criminals, cyber activists, insider threats;(b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;(c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;(d) Dark web surveillance to identify any plot for cyber-attacks;(e) Examples of cyber threats from past cyber-attacks on the licensee where applicable; and(f) Examples of cyber threats from recent cyber-attacks on other organisations.Added: July 2025SIO-9.6.25
Stablecoin issuers must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.
Added: July 2025SIO-9.6.26
Stablecoin issuers should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.
Added: July 2025SIO-9.6.27
Stablecoin issuers must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably, monthly assessments should be conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.
Added: July 2025SIO-9.6.28
With respect to Paragraph SIO-9.6.27, external technology refers to the stablecoin issuer’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.
Added: July 2025SIO-9.6.29
Stablecoin issuers must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.
Added: July 2025SIO-9.6.30
Stablecoin issuers must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:
(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;(b) Include both Grey Box and Black Box testing in its scope;(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;(d) Be performed internally at periodic intervals by employees having adequate expertise and competency in such testing;(e) Be performed, twice a year, by external independent third parties who are rotated out at least every two years; and(f) Be performed on either the production environment or on nonproduction exact replicas of the production environment.Added: July 2025SIO-9.6.31
The CBB may require additional third-party security reviews to be performed as needed.
Added: July 2025SIO-9.6.32
The time period between two consecutive penetration test and the vulnerability assessment by an independent third party, referred to in Paragraph SIO-9.7.30(e) must be 6 months and the report on such testing must be provided to CBB within two months following the end of the month where the testing took place. The vulnerability assessment and penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.
Added: July 2025Cyber Incident Detection and Management
SIO-9.6.33
Stablecoin issuers must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.
Added: July 2025SIO-9.6.34
Stablecoin issuers should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.
Added: July 2025SIO-9.6.35
Stablecoin issuers should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.
Added: July 2025SIO-9.6.36
Once a cyber incident is detected, stablecoin issuers should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.
Added: July 2025SIO-9.6.37
Stablecoin issuers must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and clients. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.
Added: July 2025SIO-9.6.38
Stablecoin issuers must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.
Added: July 2025SIO-9.6.39
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Stablecoin issuers should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Stablecoin issuers should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.
Added: July 2025SIO-9.6.40
Stablecoin issuers must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. Also refer to Paragraph SIO-9.6.61 for the requirement to report to the CBB.
Added: July 2025SIO-9.6.41
Stablecoin issuers should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:
(a) Incident Owner: An individual who is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.(b) Spokesperson: An individual, who is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensed stablecoin issuer’s management to update the internal and external stakeholders with consistent information.(c) Record Keeper: An individual who is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record should serve as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.Added: July 2025SIO-9.6.42
For the purpose of managing a critical cyber incident, stablecoin issuers should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.
Added: July 2025SIO-9.6.43
Stablecoin issuers should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, a licensed stablecoin issuer should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and the person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.
Added: July 2025SIO-9.6.44
Stablecoin issuers should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:
(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action).(b) Describe whether the cyber incident is due to a third-party service provider.(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink).(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media).(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to clients, data leakage, unavailability of data, data destruction/corruption, reputational damage).(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident).(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic).(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state).(i) The cyber incident severity may be classified as:(a) Severity 1 incident has caused or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the stablecoin issuer.(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.(c) Severity 3 incident has little or no impact on critical services and there is no visible impact on public confidence in the stablecoin issuer.Added: July 2025SIO-9.6.45
Stablecoin issuers should determine the effects of the cyber incident on clients and to the wider financial system as a whole and report the results of such an assessment to the CBB if it is determined that the cyber incident may have a systemic impact.
Added: July 2025SIO-9.6.46
Stablecoin issuers should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:
(a) Metrics to measure impact of a cyber incident:
i. Duration of unavailability of critical functions and services;ii. Number of stolen records or affected accounts;iii. Volume of clients impacted;iv. Amount of lost revenue due to business downtime, including both existing and future business opportunities; andv. Percentage of service level agreements breached.(b) Performance metrics for incident management:
i. Volume of incidents detected and responded via automation;ii. Dwell time (i.e. the duration a threat actor has undetected access until completely removed); andiii. Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied.Added: July 2025SIO-9.6.47
Stablecoin issuers must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum levels of service during the downtime and determine how much time the licensee will require to return to full service and operations.
Added: July 2025SIO-9.6.48
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:
(a) Financial situation;(b) Reputation;(c) Regulatory, legal and contractual obligations;(d) Operational aspects; and(e) Delivery of key products and services.Added: July 2025SIO-9.6.49
Stablecoin issuers must define a program for recovery activities for the purpose of timely restoration of any capabilities or services that were impaired due to a cyber security incident. Stablecoin issuers must establish recovery time objectives (“RTOs”), i.e. the time within which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption. Licensees must also consider the need for communication with third party service providers, clients and other relevant external stakeholders as may be necessary.
Added: July 2025SIO-9.6.50
Stablecoin issuers must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.
Added: July 2025SIO-9.6.51
Stablecoin issuers should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and clients.
Added: July 2025SIO-9.6.52
Stablecoin issuers must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "tabletop" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.
Added: July 2025SIO-9.6.53
Stablecoin issuers must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.
Added: July 2025SIO-9.6.54
A stablecoin issuer must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident breach.
Added: July 2025Chief Information Security Officer
SIO-9.6.55
A stablecoin issuer’s CISO, as referred to in Paragraph SIO-9.6.7(d), is responsible for overseeing and implementing the stablecoin issuer’s cyber security program and enforcing its cyber security policy. The CISO must report to an independent risk management function or the stablecoin issuer must incorporate the responsibilities of cyber security risk into the risk management function.
Added: July 2025Cyber Risk Insurance
SIO-9.6.56
A stablecoin issuer, based on the assessment of cyber security risk exposure and with an objective to mitigate cyber security risk, must evaluate and consider the option of availing cyber risk insurance. The evaluation process to determine suitability of cyber risk insurance as a risk mitigant must be undertaken on a yearly basis and be documented by the licensee.
Added: July 2025SIO-9.6.57
The cyber risk insurance policy, referred to in Paragraph SIO-9.6.56, may include some or all of the following types of coverage, depending on the risk assessment outcomes:
(a) Crisis management expenses, such as costs of notifying affected parties, costs of forensic investigation, costs incurred to determine the existence or cause of a breach, regulatory compliance costs, costs of analysing the licensee’s legal response obligations;(b) Claim expenses such as costs of defending lawsuits, judgments and settlements, and costs of responding to regulatory investigations;(c) Coverage for a variety of torts, including invasion of privacy or copyright infringement; and(d) Coverages relating to loss of revenue due to interruption of data systems resulting from a cyber or denial of service attack and other costs associated with the loss of data collected by the licensee.Added: July 2025Training and Awareness
SIO-9.6.58
Stablecoin issuers must evaluate improvement in the level of awareness and preparedness to deal with cyber security risk to ensure the effectiveness of the training programmes implemented.
Added: July 2025SIO-9.6.59
Stablecoin issuer must ensure that all employees receive adequate training on a regular basis, in relation to cyber security and the threats they could encounter, such as through testing employee reactions to simulated cyber-attack scenarios. All relevant employees must be informed on the current cyber security breaches and threats. Additional training should be provided to ‘higher risk staff’.
Added: July 2025SIO-9.6.60
Stablecoin issuers must ensure that role specific cyber security training is provided on a regular basis to relevant staff including: (a) Executive board and senior management; (b) cyber security roles; (c) IT staff; and (d) any high-risk staff as determined by the stablecoin issuer.
Added: July 2025Reporting to the CBB
SIO-9.6.61
Upon occurrence or detection of any cyber security incident or detection of any unplanned outages, whether internal or external, that compromises client information or disrupts critical services that affect operations, stablecoin issuers must contact the CBB, immediately (within one hour), on 17547477 and submit Section A of the Cyber Security Incident Report (Appendix-B) to the CBB’s cyber incident reporting email, incident.cra@cbb.gov.bh, as soon as possible, but not later than two hours, following occurrence or detection of any cyber incidents.
Added: July 2025SIO-9.6.62
Following the submission referred to in Paragraph SIO-9.6.61, the stablecoin issuer must submit to the CBB Section B of the Cyber Security Incident Report (Appendix B) within 10 calendar days of the occurrence of the cyber security incident. The stablecoin issuer must include all relevant details in the report, including the full root cause analysis of the cyber security incident, its impact on the business operations and clients, and all measures taken by the stablecoin issuer to stop the attack, mitigate its impact and to ensure that similar events do not recur. In addition, a weekly progress update must be submitted to CBB until the incident is fully resolved
Added: July 2025SIO-9.6.63
With regards to the submission requirement mentioned in Paragraph SIO-9.6.62, the stablecoin issuer should submit the report with as much information as possible even if all the details have not been obtained yet.
Added: July 2025SIO-9.6.64
The vulnerability assessment and penetration testing report (refer to Paragraph SIO-9.6.32), along with the steps taken to mitigate the risks must be maintained by the licensee for a five-year period from the date of the report.
Added: July 2025SIO-9.7 Cyber Hygiene Practices
Multi Factor Authentication
SIO-9.7.1
Stablecoin issuers must ensure that every client account is secured to prevent any unauthorized access to or use of client account.
Added: July 2025SIO-9.7.2
Stablecoin issuers must use multi-factor authentication (two or more factors) to authenticate the identity and authorisation of clients with whom it conducts business. Licensees must, at a minimum, establish adequate security features for client authentication including the use of at least two of the following three elements:
(a) Knowledge (something that only the user knows), such as a pin or password;(b) Possession (something only the user possesses such as a mobile phone, smart watch, smart card or a token; and(c) Inherence (something that the user is), such as fingerprint, facial recognition, voice patterns, DNA signature and iris format.Added: July 2025SIO-9.7.3
Stablecoin issuers must ensure that at least one of the factors for authentication referred to in Paragraph SIO-9.7.2 is a dynamic or non-replicable factor unless one of the factors is inherence.
Added: July 2025SIO-9.7.4
For the purpose of Paragraph SIO-9.7.2, stablecoin issuers must ensure that the authentication elements are independent from each other, in that the breach of one does not compromise the reliability of the other and are sufficiently complex to prevent forgery.
Added: July 2025
