SIO-9.6.30
Stablecoin issuers must perform vulnerability assessment and penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:
(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
(b) Include both Grey Box and Black Box testing in its scope;
(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
(d) Be performed internally at periodic intervals by employees having adequate expertise and competency in such testing;
(e) Be performed, twice a year, by external independent third parties who are rotated out at least every two years; and
(f) Be performed on either the production environment or on nonproduction exact replicas of the production environment.
Added: July 2025