Back Custom print Link Text Only Rich Text Print

  • Roles and Responsibilities of the Management

    • SIO-9.6.8

      The management is responsible for:

      (a) Establishing and implementing cyber security policies and procedures that commensurate with the level of cyber security risk exposure and its impact on the stablecoin issuer. These policies and procedures must take into account the following:

      i. The sensitivity and confidentiality of data which the stablecoin issuer maintains;
      ii. Vulnerabilities of the stablecoin issuer’s information systems and operating environment across the licensee; and
      iii. The existing and emerging cyber security threats.
      (b) Ensuring that employees, agents (where relevant) and third-party service providers are aware and understand the cyber security risk policies and procedures, the possible impact of various cyber security threats and their respective roles in managing such threats;
      (c) Recommending to the board on appropriate strategies and measures to manage cyber security risk, including making necessary changes to existing policies and procedures, as appropriate; and
      (d) Reporting to the board of any cyber security breaches and periodically update the board on emerging cyber security threats and their potential impact on the stablecoin issuer.
      Added: July 2025

    • SIO-9.6.9

      Management must ensure that:

      (a) The stablecoin issuer has identified clear internal ownership and classification for all information assets and data;
      (b) The stablecoin issuer has maintained an inventory of the information assets and data which is reviewed and updated regularly;
      (c) Employees responsible for cyber security are adequate to manage the licensed stablecoin issuer’s cyber security risks and facilitate the performance and continuous improvement of all relevant cyber security controls; and
      (d) It provides and requires employees involved in cyber security to attend regular cyber security update and training sessions (for example Security+, CEH, CISSP, CISA, CISM, CCSP) to stay abreast of changing cyber security threats and countermeasures.
      Added: July 2025

    • SIO-9.6.10

      With respect to Paragraph SIO-9.6.9(a), data classification entails analyzing the data the stablecoin issuer retains, determining its importance and value, and then assigning it to a category. When classifying data, the following aspects should be determined:

      (a) Who has access to the data;
      (b) How the data is secured;
      (c) How long the data is retained (this includes backups);
      (d) What method should be used to dispose of the data;
      (e) Whether the data needs to be encrypted; and
      (f) What use of the data is appropriate.

      The general guideline for data classification is that the definition of the classification should be clear enough so that it is easy to determine how to classify the data. The owner of data (i.e. the relevant business function) should be involved in such classification.

      Added: July 2025