Back Custom print Link Text Only Rich Text Print

  • SIO-9.3 Security Measures and Procedures

    • SIO-9.3.1

      Stablecoin issuers must have measures and procedures in place which comply with network security best practices (e.g., the implementation of firewalls, the regular changing of passwords and encryption of data in transit and at rest). Updates and patches to all systems, particularly security systems, must be performed as soon as safely feasible after such updates and patches have been released.

      Added: July 2025

    • SIO-9.3.2

      The IT infrastructures must provide strong layered security and ensure elimination of “single points of failure”. Stablecoin issuers must maintain IT infrastructure security policies, describing in particular how strong layered security is provided and how “single points of failure” are eliminated. IT infrastructures must be strong enough to resist, without significant loss to clients, a number of scenarios, including but not limited to accidental destruction or breach of a single facility, collusion or leakage of information by employees/former employees within a single office premise, successful hack of a cryptographic module or server, or access by hackers of any single set of encryption/decryption keys.

      Added: July 2025

    • SIO-9.3.3

      Stablecoin issuers must regularly test security systems and processes. System components, processes, and custom software must be tested frequently to ensure security controls continue to reflect a changing environment.

      Added: July 2025

    • SIO-9.3.4

      Stablecoin issuers must have in place policies and procedures that address information security for all staff, sets the security tone for the whole entity and informs staff what is expected of them. All staff should be aware of the sensitivity of data and their responsibilities for protecting it.

      Added: July 2025

    • SIO-9.3.5

      The encryption of data, both at rest and in transit, including consideration of API security should be included in the security policy. In particular, encryption and decryption of private keys should utilise encryption protocols or use alternative algorithms that have broad acceptance with cyber security professionals. Critical cryptographic functions such as encryption, decryption, generation of private keys, and the use of digital signatures should only be performed within cryptographic modules complying with the highest, and ideally internationally recognised, applicable security standards.

      Added: July 2025

    • SIO-9.3.6

      Stablecoin issuers must conduct regular security tests of their systems, network, and connections.

      Added: July 2025