Back Custom print Link Text Only Rich Text Print

  • General Requirements

    • SIO-9.6.1

      Stablecoin issuers must establish and maintain an effective cyber security program to ensure the availability and functionality of the licensee’s electronic systems and to protect those systems and any sensitive data stored on those systems from unauthorized access, use, or tampering. The cyber security program must be designed to perform, at the minimum, the following five core cyber security functions:

      (a) identify internal and external cyber security risks by, at a minimum, identifying the information stored on the licensee’s systems, the sensitivity of such information, and how and by whom such information may be accessed;
      (b) protect the licensee’s electronic systems, and the information stored on those systems, from unauthorized access, use, or other malicious acts through the use of defensive infrastructure and the implementation of policies and procedures;
      (c) detect system intrusions, data breaches, unauthorized access to systems or information, malware, and other cyber security events;
      (d) respond to detected cyber security events to mitigate any negative effects; and
      (e) recover from cyber security events and restore normal operations and services.
      Added: July 2025

    • SIO-9.6.2

      Stablecoin issuers must have a robust cyber security risk management framework that encompasses, at a minimum, the following components:

      (a) Cyber security strategy;
      (b) Cyber security policy; and
      (c) Cyber security risk management approach, tools and methodology and, an organization-wide security awareness program.
      Added: July 2025

    • SIO-9.6.3

      The cyber security risk management framework must be developed in accordance with the National Institute of Standards and Technology (NIST) Cyber security framework which is summarized in Appendix A – Cyber security Control Guidelines. Broadly, the cyber security risk management framework should be consistent with the licensed stablecoin issuer’s risk management framework.

      Added: July 2025

    • SIO-9.6.4

      Senior management, and where appropriate, the boards, should receive comprehensive reports, covering cyber security issues such as the following:

      (a) Key Risk Indicators/ Key Performance Indicators;
      (b) Status reports on overall cyber security control maturity levels;
      (c) Status of staff Information Security awareness;
      (d) Updates on latest internal or relevant external cyber security incidents; and
      (e) Results from penetration testing exercises.
      Added: July 2025

    • SIO-9.6.5

      Stablecoin issuers may establish a cyber security committee that is headed by an independent senior manager from a control function (like CRO), with appropriate authority to approve policies and frameworks needed to implement the cyber security strategy, and act as a governance committee for the cyber security function. Membership of this committee should include senior management members from business functions, IT, Risk and Compliance.

      Added: July 2025