Back Custom print Link Text Only Rich Text Print

  • Prevention

    • SIO-9.6.14

      Stablecoin issuers must conduct regular assessments as part of the licensee’s compliance programme to identify potential vulnerabilities and cyber security threats in its operating environment which could undermine the security, confidentiality, availability and integrity of the information assets, systems and networks.

      Added: July 2025

    • SIO-9.6.15

      The assessment of the vulnerabilities of the stablecoin issuer’s operating environment must be comprehensive, including making an assessment of potential vulnerabilities relating to the personnel, parties with whom a licensee deals with, systems and technologies adopted, business processes and outsourcing arrangements.

      Added: July 2025

    • SIO-9.6.16

      Stablecoin issuers must develop and implement preventive measures to minimise the licensee’s exposure to cyber security risk.

      Added: July 2025

    • SIO-9.6.17

      Preventive measures referred to in Paragraph SIO-9.6.16 above must include, at a minimum, the following:

      (a) Deployment of End Point Protection (EPP) and End Point Detection and Response (EDR) including anti-virus software and malware programs to detect, prevent and isolate malicious code;
      (b) Layering systems and systems components;
      (c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;
      (d) Rigorous testing at software development stage as well as after deployment to limit the number of vulnerabilities;
      (e) Penetration testing of existing systems and networks;
      (f) Use of authority matrix to limit privileged internal or external access rights to systems and data;
      (g) Use of a secure email gateway to limit email based cyber-attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);
      (h) Use of a Secure Web Gateway to limit browser based cyberattacks, malicious websites and enforce organization policies;
      (i) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and
      (j) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.
      Added: July 2025

    • SIO-9.6.18

      Stablecoin issuers should also implement the following prevention controls in the following areas:

      (a) Data leakage prevention to detect and prevent confidential data from leaving the licensee’s technology environment;
      (b) Controls to secure physical network ports against connection to computers which are unauthorised to connect to the licensee’s network, or which do not meet the minimum-security requirements defined for licensee computer systems (e.g. Network access control); and
      (c) Identity and access management controls to limit the exploitation and monitor the use of privileged and non-privileged accounts.
      Added: July 2025

    • SIO-9.6.19

      Stablecoin issuers must set up anti-spam and anti-spoofing measures to authenticate the licensee’s mail server and to prove to ISPs, mail services and other receiving mail servers that senders are truly authorized to send the email. Examples of such measures include:

      (a) SPF “Sender Policy Framework”;
      (b) DKIM “Domain Keys Identified Mail”; and
      (c) DMARC “Domain-based Message Authentication, Reporting and Conformance”.
      Added: July 2025

    • SIO-9.6.20

      Stablecoin issuers should subscribe to one of the Cyber Threat Intelligence services in order to stay abreast of emerging cyber threats, cybercrime actors and state of the art tools and security measures.

      Added: July 2025

    • SIO-9.6.21

      Stablecoin issuers must use a single unified private email domain or its subdomains for communication with clients to prevent abuse by third parties. Stablecoin issuers must not utilise third-party email provider domains for communication with clients. The email domains must comply with the requirements with respect to SPF, DKIM and DMARC in this Module.

      Added: July 2025

    • SIO-9.6.22

      For the purpose of Paragraph SIO- 9.6.21, stablecoin issuers with subsidiaries or branches outside Bahrain will be allowed to use additional domains subject to CBB’s review. Licensees may be allowed, subject to CBB’s review, for their clients to receive emails from third-party service providers for specific services offered by such third parties provided the clients were informed and agreed on such an arrangement. Examples of such third-party services include informational subscription services and document management services.

      Added: July 2025

    • SIO-9.6.23

      Stablecoin issuers must comply with the following requirements with respect to URLs or other clickable links in communications with clients:

      (a) Limit the use of links in SMS and other short messages (such as WhatsApp) to messages sent as a result of client request or action. Examples of such client actions include verification links for client onboarding, payment links for client-initiated transactions etc.;
      (b) Refrain from using shortened links in communication with clients;

      (c) Implement measures to allow clients to verify the legitimacy of the links which may include:

      i. clear instructions on the licensee’s website/app where the link is sent as a result of client action on the licensee’s website/app;
      ii. communication with clients such as a phone call informing the client to expect a link from the licensee;
      iii. provision of transaction details such as the transaction amount and merchant name in the message sent to the client with the link; and
      iv. use of other verification measures like OTP, password or biometric authentication.
      (d) Create client awareness campaigns to educate their clients on the risk of fraud related to links they receive in SMS, short messages and emails with clear instructions to clients that stablecoin issuers will not send clickable links in SMS, emails and other short messages to request information or payments unless it is as a result client request or action. Stablecoin issuers may also train their clients by sending fake phishing messages.
      Added: July 2025