Back Custom print Link Text Only Rich Text Print

  • Cyber Risk Identification and Assessments

    • SIO-9.6.24

      Stablecoin issuers must conduct periodic assessments of cyber threats. For the purpose of analysing and assessing current cyber threats relevant to the licensee, it should take into account the factors detailed below:

      (a) Cyber threat entities including cyber criminals, cyber activists, insider threats;
      (b) Methodologies and attack vectors across various technologies including cloud, email, websites, third parties, physical access, or others as relevant;
      (c) Changes in the frequency, variety, and severity of cyber threats relevant to the region;
      (d) Dark web surveillance to identify any plot for cyber-attacks;
      (e) Examples of cyber threats from past cyber-attacks on the licensee where applicable; and
      (f) Examples of cyber threats from recent cyber-attacks on other organisations.
      Added: July 2025

    • SIO-9.6.25

      Stablecoin issuers must conduct periodic assessments of the maturity, coverage, and effectiveness of all cyber security controls. Cyber security control assessment must include an analysis of the controls’ effectiveness in reducing the likelihood and probability of a successful attack.

      Added: July 2025

    • SIO-9.6.26

      Stablecoin issuers should ensure that the periodic assessments of cyber threats and cyber security controls cover all critical technology systems. A risk treatment plan should be developed for all residual risks which are considered to be above the licensee’s risk tolerance levels.

      Added: July 2025

    • SIO-9.6.27

      Stablecoin issuers must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably, monthly assessments should be conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.

      Added: July 2025

    • SIO-9.6.28

      With respect to Paragraph SIO-9.6.27, external technology refers to the stablecoin issuer’s public facing technology such as websites, apps and external servers. Connections with third parties includes any API or other connections with fintech companies, technology providers, outsourcing service providers etc.

      Added: July 2025

    • SIO-9.6.29

      Stablecoin issuers must have in place vulnerability and patch management processes which include remediation processes to ensure that the vulnerabilities identified are addressed and that security patches are applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability.

      Added: July 2025

    • SIO-9.6.30

      Stablecoin issuers must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:

      (a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
      (b) Include both Grey Box and Black Box testing in its scope;
      (c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
      (d) Be performed internally at periodic intervals by employees having adequate expertise and competency in such testing;
      (e) Be performed, twice a year, by external independent third parties who are rotated out at least every two years; and
      (f) Be performed on either the production environment or on nonproduction exact replicas of the production environment.
      Added: July 2025

    • SIO-9.6.31

      The CBB may require additional third-party security reviews to be performed as needed.

      Added: July 2025

    • SIO-9.6.32

      The time period between two consecutive penetration test and the vulnerability assessment by an independent third party, referred to in Paragraph SIO-9.7.30(e) must be 6 months and the report on such testing must be provided to CBB within two months following the end of the month where the testing took place. The vulnerability assessment and penetration testing reports must include the vulnerabilities identified and a full list of ‘passed’ tests and ‘failed’ tests together with the steps taken to mitigate the risks identified.

      Added: July 2025