Back Custom print Link Text Only Rich Text Print

  • Cyber Security Strategy

    • SIO-9.6.11

      An organisation-wide cyber security strategy must be defined and documented to include:

      (a) The position and importance of cyber security at the stablecoin issuer;
      (b) The primary cyber security threats and challenges facing the stablecoin issuer;
      (c) The stablecoin issuer’s approach to cyber security risk management;
      (d) The key elements of the cyber security strategy including objectives, principles of operation and implementation approach;
      (e) Scope of risk identification and assessment, which must include the dependencies on third party service providers;
      (f) Approach to planning response and recovery activities; and
      (g) Approach to communication with internal and external stakeholders, including sharing of information on identified threats and other intelligence among industry participants.
      Added: July 2025

    • SIO-9.6.12

      The cyber security strategy should be communicated to the relevant stakeholders, and it should be revised as necessary and, at least, once every three years. Appendix A provides cyber security control guidelines that can be used as a reference to support the stablecoin issuer’s cyber security strategy and cyber security policy.

      Added: July 2025

    • SIO-9.6.13

      Stablecoin issuer’s must implement a written cyber security risk policy setting out the licensee’s Board approved policies and related procedures that are approved by senior management, for the protection of its electronic systems and client data stored on those systems. This policy must be reviewed and approved by the licensee’s board of directors at least annually. The cyber security policy, among others, must address the following areas:

      (a) A statement of the stablecoin issuer’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, recovery time objectives and occurrence/severity of cyber security breaches. The statement must also consider the impact on clients, potential negative media publicity, potential regulatory penalties, financial loss etc.;
      (b) Strategy and measures to manage cyber security risk encompassing prevention, detection and recovery from a cyber security breach;
      (c) Roles, responsibilities and lines of accountabilities of the board, the board committees, person responsible and accountable for effective management of cyber security risk and key personnel involved in functions relating to the management of cyber security risk (such as information technology and security, business units and operations, risk management, business continuity management and internal audit);
      (d) Processes and procedures for the identification, detection, assessment, prioritisation, containment, response to, and escalation of cyber security breaches for decision-making;
      (e) Processes and procedures for the management of outsourcing, system development and maintenance arrangements with third party service providers, including requirements for such third-party service providers to comply with the licensed stablecoin issuer’s cyber security risk policy;
      (f) Communication procedures that will be activated by the stablecoin issuer in the event of a cyber security breach, which include reporting procedures, information to be reported, communication channels, list of internal and external stakeholders and communication timeline; and

      (g) Other key elements of the information security and cyber security risk management including the following:

      i. information security;
      ii. data governance and classification;
      iii. access controls;
      iv. business continuity and disaster recovery planning and resources;
      v. capacity and performance planning;
      vi. systems operations and availability concerns;
      vii. systems and network security;
      viii. systems and application development and quality assurance;
      ix. physical security and environmental controls;
      x. client data privacy;
      xi. vendor and third-party service provider management;
      xii. monitoring and implementing changes to core protocols not directly controlled by the licensee, as applicable;
      xiii. incident response; and
      xiv. System audit.
      Added: July 2025