Cyber Incident Detection and Management
SIO-9.6.33
Stablecoin issuers must implement cyber security incident management processes to ensure timely detection, response and recovery for cyber security incidents. This includes implementing a monitoring system for log correlation and anomaly detection.
Added: July 2025SIO-9.6.34
Stablecoin issuers should receive data on a real time basis from all relevant systems, applications, and network devices including operational and business systems. The monitoring system should be capable of identifying indicators of cyber incidents and initiate alerts, reports, and response activities based on the defined cyber security incident management process.
Added: July 2025SIO-9.6.35
Stablecoin issuers should retain the logs and other information from the monitoring system for detecting cyber incidents, including "low-and-slow" attacks, in order to facilitate incident investigations, for 12 months or longer.
Added: July 2025SIO-9.6.36
Once a cyber incident is detected, stablecoin issuers should activate their containment measures, processes and technologies best suited to each type of cyber incident to prevent a cyber incident from inflicting further damage. This may involve, after considering the costs, business impact and operational risks, shutting down or isolating all or affected parts of their systems and networks as deemed necessary for containment and diagnosis.
Added: July 2025SIO-9.6.37
Stablecoin issuers must define roles and responsibilities and assign adequate resources to detect, identify, investigate and respond to cyber incidents that could impact the licensee’s infrastructure, services and clients. Such responsibilities must include log correlation, anomaly detection and maintaining the licensee’s asset inventory and network diagrams.
Added: July 2025SIO-9.6.38
Stablecoin issuers must regularly identify, test, review and update current cyber security risk scenarios and the corresponding response plan. This is to ensure that the scenarios and response plan remain relevant and effective, taking into account changes in the operating environment, systems or the emergence of new cyber security threats. If any gaps are identified, the monitoring system must be updated with new use cases and rule sets which are capable of detecting the current cyber incident scenarios.
Added: July 2025SIO-9.6.39
The cyber incident scenario tests should include high-impact-low-probability events and scenarios that may result in failure. Common cyber incident scenarios include distributed denial of service (DDoS) attacks, system intrusion, data exfiltration and system disruption. Stablecoin issuers should regularly use threat intelligence to update the scenarios so that they remain current and relevant. Stablecoin issuers should periodically review current cyber incident scenarios for the purpose of assessing the licensee’s ability to detect and respond to these scenarios if they were to occur.
Added: July 2025SIO-9.6.40
Stablecoin issuers must ensure that critical cyber security incidents detected are escalated to an incident response team, management and the Board, in accordance with the licensee’s business continuity plan and crisis management plan, and that an appropriate response is implemented promptly. Also refer to Paragraph SIO-9.6.61 for the requirement to report to the CBB.
Added: July 2025SIO-9.6.41
Stablecoin issuers should clearly define the roles, responsibilities and accountabilities for cyber incident detection and response activities to one or more named individuals that meet the pre-requisite role requirements. Potential conflicts of interest are minimised by ensuring a separation of implementation and oversight roles where possible. The roles should include:
(a) Incident Owner: An individual who is responsible for handling the overall cyber incident detection and response activities according to the incident type and services affected. The Incident Owner is delegated appropriate authority to manage the mitigation or preferably, removal of all impacts due to the incident.(b) Spokesperson: An individual, who is responsible for managing the communications strategy by consolidating relevant information and views from subject matter experts and the licensed stablecoin issuer’s management to update the internal and external stakeholders with consistent information.(c) Record Keeper: An individual who is responsible for maintaining an accurate record of the cyber incident throughout its different phases, as well as documenting actions and decisions taken during and after a cyber incident. The record should serve as an accurate source of reference for after-action reviews to improve future cyber incident detection and response activities.Added: July 2025SIO-9.6.42
For the purpose of managing a critical cyber incident, stablecoin issuers should operate a situation room, and should include in the incident management procedure a definition of the authorities and responsibilities of staff members, internal and external reporting lines, communication channels, tools and detailed working procedures. The situation room or a war room is a physical room or a virtual room where relevant members of the management gather to handle a crisis in the most efficient manner possible.
Added: July 2025SIO-9.6.43
Stablecoin issuers should record and document in an orderly manner the incidents that have been handled and the actions that were taken by the relevant functions. In particular, a licensed stablecoin issuer should maintain an "incident log" in which all the notifications, decisions and actions taken, in relation to cyber incidents, are documented, as close as possible to the time of their occurrence. It should also include the status of the issue whether it is open or has been resolved and the person in charge of resolving the issue/incident. The logs should be stored and preserved in a secure and legally admissible manner.
Added: July 2025SIO-9.6.44
Stablecoin issuers should utilise pre-defined taxonomy for classifying cyber incidents according to, for example, the type of incident, threat actors, threat vectors and repercussions; and a pre-established severity assessment framework to help gauge the severity of the cyber incident. For example, taxonomies that can be used when describing cyber incidents:
(a) Describe the cause of the cyber incident (e.g. process failure, system failure, human error, external event, malicious action).(b) Describe whether the cyber incident is due to a third-party service provider.(c) Describe the attack vector (e.g. malware, virus, worm, malicious hyperlink).(d) Describe the delivery channel used (e.g. e-mail, web browser, removable storage media).(e) Describe the impact (e.g. service degradation/disruption, service downtime, potential impact to clients, data leakage, unavailability of data, data destruction/corruption, reputational damage).(f) Describe the type of incident (e.g. zero-day attack, exploiting a known vulnerability, isolated incident).(g) Describe the intent (e.g. malicious, theft, monetary gain, fraud, political, espionage, opportunistic).(h) Describe the threat actor (e.g. script kiddies, amateur, criminal syndicate, hacktivist, nation state).(i) The cyber incident severity may be classified as:(a) Severity 1 incident has caused or will cause a serious disruption or degradation of critical service(s) and there is potentially high impact on public confidence in the stablecoin issuer.(b) Severity 2 incident has or will cause some degradation of critical services and there is medium impact on public confidence in the licensee.(c) Severity 3 incident has little or no impact on critical services and there is no visible impact on public confidence in the stablecoin issuer.Added: July 2025SIO-9.6.45
Stablecoin issuers should determine the effects of the cyber incident on clients and to the wider financial system as a whole and report the results of such an assessment to the CBB if it is determined that the cyber incident may have a systemic impact.
Added: July 2025SIO-9.6.46
Stablecoin issuers should establish metrics to measure the impact of a cyber incident and to report to management the performance of response activities. Examples include:
(a) Metrics to measure impact of a cyber incident:
i. Duration of unavailability of critical functions and services;ii. Number of stolen records or affected accounts;iii. Volume of clients impacted;iv. Amount of lost revenue due to business downtime, including both existing and future business opportunities; andv. Percentage of service level agreements breached.(b) Performance metrics for incident management:
i. Volume of incidents detected and responded via automation;ii. Dwell time (i.e. the duration a threat actor has undetected access until completely removed); andiii. Recovery Point objectives (RPO) and recovery time objectives (RTO) satisfied.Added: July 2025SIO-9.6.47
Stablecoin issuers must identify the critical systems and services within its operating environment that must be recovered on a priority basis in order to provide certain minimum levels of service during the downtime and determine how much time the licensee will require to return to full service and operations.
Added: July 2025SIO-9.6.48
Critical incidents are defined as incidents that trigger the BCP and the crisis management plan. Critical systems and services are those whose failure can have material impact on any of the following elements:
(a) Financial situation;(b) Reputation;(c) Regulatory, legal and contractual obligations;(d) Operational aspects; and(e) Delivery of key products and services.Added: July 2025SIO-9.6.49
Stablecoin issuers must define a program for recovery activities for the purpose of timely restoration of any capabilities or services that were impaired due to a cyber security incident. Stablecoin issuers must establish recovery time objectives (“RTOs”), i.e. the time within which the intended process is to be covered, and recovery point objectives (“RPOs”), i.e. point to which information used must be restored to enable the activity to operate on resumption. Licensees must also consider the need for communication with third party service providers, clients and other relevant external stakeholders as may be necessary.
Added: July 2025SIO-9.6.50
Stablecoin issuers must ensure that all critical systems are able to recover from a cyber security breach within the licensee’s defined RTO in order to provide important services or some level of minimum services for a temporary period of time.
Added: July 2025SIO-9.6.51
Stablecoin issuers should validate that recovered assets are free of compromise, fully functional and meet the security requirements before returning the systems to normal business operations. This includes performing checks on data to ensure data integrity. In some cases, licensees may need to use backup data kept in a disaster recovery site or plan for the reconstruction of data from external stakeholders such as business partners and clients.
Added: July 2025SIO-9.6.52
Stablecoin issuers must define a program for exercising the various response mechanisms, taking into account the various types of exercises such as attack simulations, "war games" and "tabletop" exercises, and with reference to the relevant stakeholders such as technical staff, crisis management team, decision-makers and spokespersons.
Added: July 2025SIO-9.6.53
Stablecoin issuers must define the mechanisms for ensuring accurate, timely and actionable communication of cyber incident response and recovery activities with the internal stakeholders, including to the board or designated committee of the board.
Added: July 2025SIO-9.6.54
A stablecoin issuer must ensure its business continuity plan is comprehensive and includes a recovery plan for its systems, operations and services arising from a cyber security incident breach.
Added: July 2025
