SIO-9.6.13
Stablecoin issuer’s must implement a written cyber security risk policy setting out the licensee’s Board approved policies and related procedures that are approved by senior management, for the protection of its electronic systems and client data stored on those systems. This policy must be reviewed and approved by the licensee’s board of directors at least annually. The cyber security policy, among others, must address the following areas:
(a) A statement of the stablecoin issuer’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, recovery time objectives and occurrence/severity of cyber security breaches. The statement must also consider the impact on clients, potential negative media publicity, potential regulatory penalties, financial loss etc.;
(b) Strategy and measures to manage cyber security risk encompassing prevention, detection and recovery from a cyber security breach;
(c) Roles, responsibilities and lines of accountabilities of the board, the board committees, person responsible and accountable for effective management of cyber security risk and key personnel involved in functions relating to the management of cyber security risk (such as information technology and security, business units and operations, risk management, business continuity management and internal audit);
(d) Processes and procedures for the identification, detection, assessment, prioritisation, containment, response to, and escalation of cyber security breaches for decision-making;
(e) Processes and procedures for the management of outsourcing, system development and maintenance arrangements with third party service providers, including requirements for such third-party service providers to comply with the licensed stablecoin issuer’s cyber security risk policy;
(f) Communication procedures that will be activated by the stablecoin issuer in the event of a cyber security breach, which include reporting procedures, information to be reported, communication channels, list of internal and external stakeholders and communication timeline; and
(g) Other key elements of the information security and cyber security risk management including the following:
i. information security;
ii. data governance and classification;
iii. access controls;
iv. business continuity and disaster recovery planning and resources;
v. capacity and performance planning;
vi. systems operations and availability concerns;
vii. systems and network security;
viii. systems and application development and quality assurance;
ix. physical security and environmental controls;
x. client data privacy;
xi. vendor and third-party service provider management;
xii. monitoring and implementing changes to core protocols not directly controlled by the licensee, as applicable;
xiii. incident response; and
xiv. System audit.
Added: July 2025