VARA CYBERSECURITY POLICY REQUIREMENTS: THE 18 MANDATORY CRITERIA EVERY VASP MUST ADDRESS

Information Security

Your cybersecurity policy must establish the overarching information security framework, including the scope of the policy, security objectives, roles and responsibilities, and the information security governance structure. This is the foundational criterion that sets the context for all subsequent controls.

What VARA expects: A clear definition of what constitutes “information assets” in your VASP context (including blockchain infrastructure, wallets, APIs, customer data, trade data), classification of those assets by sensitivity, and documented ownership for each asset category.

Data Governance and Classification

A formal data governance framework covering the classification, handling, storage, transmission, and destruction of all data processed by the VASP. Data must be classified according to sensitivity levels (e.g., public, internal, confidential, restricted), with specific controls applied to each classification level.

What VARA expects: A documented data classification matrix, evidence that all data repositories have been classified, data handling procedures for each classification level, and controls for data at rest and in transit. Particular attention to customer KYC/AML data, transaction records, and cryptographic key material.

Access Controls

Comprehensive access control policies covering user provisioning, de-provisioning, role-based access control (RBAC), least privilege principles, privileged access management (PAM), and regular access reviews. This applies to all systems - including blockchain infrastructure, administrative consoles, trading engines, and customer-facing platforms.

What VARA expects: Evidence of quarterly access reviews, documented approval workflows for privileged access, automatic de-provisioning of leavers, segregation of duties (especially between those who can initiate and approve transactions), and audit trails for all access changes.

Asset Inventory and Management

A comprehensive inventory of all technology assets - hardware, software, network devices, cloud services, blockchain nodes, wallets, and APIs. Each asset must be classified, assigned an owner, and included in the vulnerability management and change management scope.

What VARA expects: An up-to-date Configuration Management Database (CMDB) or equivalent, evidence that asset discovery scans are performed regularly, and proof that decommissioned assets are securely wiped and removed from the inventory.

Network Security

Network architecture must implement defence-in-depth principles: network segmentation, firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, and encrypted communications. For VASPs, this extends to blockchain node infrastructure, API gateways, and the segregation of customer-facing systems from back-office and wallet management systems.

What VARA expects: Network architecture diagrams, evidence of segmentation between production/development/staging environments, firewall rule reviews (at least annually), and DDoS mitigation testing results. Hot wallet infrastructure must be on isolated network segments.

System Security and Hardening

All systems must be hardened according to industry benchmarks (e.g., CIS Benchmarks). This includes secure baseline configurations, removal of unnecessary services and default credentials, patch management, and endpoint protection. VARA expects VASPs to maintain documented hardening standards for each system type in their environment.

What VARA expects: Hardening standards documentation, evidence of compliance scanning against those standards, patch management SLAs (critical patches within defined timeframes), and endpoint detection and response (EDR) deployment on all endpoints.

Security Monitoring and Logging

Comprehensive logging of security-relevant events across all systems, with centralised log management (SIEM or equivalent), real-time alerting for critical security events, and defined log retention periods. Logs must be tamper-evident and protected from unauthorised modification or deletion.

What VARA expects: A deployed SIEM with documented use cases and alerting rules, evidence of log review processes (daily/weekly), minimum 12-month log retention, and proof that wallet transaction logs, administrative access logs, and authentication events are all captured.

Application Security

Secure software development lifecycle (SSDLC) practices for all applications developed or operated by the VASP. This includes secure coding standards, code review processes, static and dynamic application security testing (SAST/DAST), and secure deployment practices. For VASPs, this explicitly includes smart contract development.

What VARA expects: Documented SSDLC procedures, evidence of security testing in CI/CD pipelines, smart contract audit reports from independent third parties, and proof that security findings are tracked to remediation.

Encryption and Cryptographic Controls

Policies governing the use of cryptography for data protection, including encryption standards for data at rest and in transit, key management procedures, and approved cryptographic algorithms. This criterion works in conjunction with Part I, Section C (Cryptographic Key and Wallet Management) but focuses on the broader use of encryption across the VASP’s operations.

What VARA expects: Documented encryption standards (minimum AES-256 for data at rest, TLS 1.2+ for data in transit), a cryptographic key management policy, evidence that sensitive data is encrypted in all states, and regular review of cryptographic standards against evolving threats.

Multi-Factor Authentication for VA Transactions

This is one of the most VA-specific criteria in the rulebook. VARA requires multi-factor authentication (MFA) for all virtual asset transactions - not just user login, but the actual execution of trades, withdrawals, and transfers. This goes beyond what most traditional cybersecurity frameworks require.

What VARA expects: MFA enforced on all customer-initiated VA transactions (withdrawals, transfers, trades above defined thresholds), MFA for all administrative and operational actions on wallet infrastructure, and documented MFA bypass procedures (which must be extremely limited and audited). Hardware-based MFA (FIDO2/WebAuthn) is preferred over SMS-based OTP.

Customer and End-User Protection

Security controls specifically designed to protect customers and end users, including account security measures, anti-phishing protections, withdrawal address whitelisting, cooling-off periods for new addresses, and security notifications for account changes. This criterion bridges cybersecurity and consumer protection.

What VARA expects: Documented customer security features (withdrawal whitelisting, email/SMS notifications for account changes, device management), evidence that customers are educated about security risks, and metrics on account compromise incidents and response times.

Physical Security

Physical security controls for data centres, offices, HSM storage locations, and any physical infrastructure involved in VA operations. This includes access control systems, CCTV surveillance, environmental controls, and visitor management. For VASPs using cloud infrastructure, physical security requirements shift to vendor due diligence and contractual assurances.

What VARA expects: For on-premise infrastructure: documented physical access logs, CCTV retention policies, clean desk policies, and secure destruction procedures for media. For cloud-hosted: evidence that cloud providers meet equivalent physical security standards (SOC 2 Type II reports, ISO 27001 certification).

Incident Response and Management

A comprehensive incident response plan covering detection, classification, containment, eradication, recovery, and post-incident review. The plan must include defined severity levels, escalation matrices, communication procedures (internal and external), and the 72-hour VARA reporting obligation. Incident response must be tested through regular tabletop exercises and simulations.

What VARA expects: A documented incident response plan, evidence of at least annual incident response exercises, pre-drafted VARA notification templates, a designated incident response team with clear roles, post-incident reports for all significant incidents, and a lessons-learned process that feeds back into control improvements.

Ransomware Prevention and Response

VARA specifically calls out ransomware as a separate criterion - reflecting the elevated threat landscape for financial and crypto firms. The policy must address ransomware-specific prevention controls (email filtering, endpoint detection, backup strategies), a documented position on ransom payments, and recovery procedures that do not depend on paying a ransom.

What VARA expects: Documented ransomware-specific playbooks, immutable backup strategies (air-gapped or immutable storage), evidence of ransomware simulation exercises, a board-approved position on ransom payment decisions, and proof that critical systems can be recovered from backups without paying ransoms.

Vendor and Third-Party Risk Management

Due diligence, contractual controls, and ongoing monitoring for all third-party technology vendors. This is particularly critical for VASPs that rely on third-party custody solutions, blockchain analytics providers, KYC/AML vendors, cloud infrastructure, and market data providers. The policy must define vendor risk assessment procedures, minimum security requirements for vendors, and exit strategies.

What VARA expects: A vendor register with risk classifications, evidence of due diligence assessments for critical vendors, contractual requirements including audit rights and data protection clauses, regular vendor security reviews, and documented exit plans for critical vendor dependencies.

Security Awareness and Training

A mandatory security awareness programme for all employees, contractors, and relevant third parties. Training must cover general cybersecurity hygiene, VASP-specific risks (social engineering targeting crypto employees, SIM swap attacks, insider threats), phishing simulations, and role-specific training for developers, operations staff, and senior management.

What VARA expects: Documented training curricula, evidence of completion (training records), at least annual mandatory training for all staff, phishing simulation results and trend analysis, and specialised training for staff with privileged access or key management responsibilities.

Vulnerability Management

A structured vulnerability management programme covering vulnerability scanning (automated and manual), vulnerability prioritisation, remediation SLAs, and exception management. VASPs must conduct regular vulnerability assessments performed by independent third parties, with results documented and remediation tracked to completion.

What VARA expects: Evidence of regular vulnerability scans (at least monthly for external, quarterly for internal), defined remediation timeframes by severity (e.g., critical within 48 hours, high within 7 days), documented exceptions with risk acceptance sign-off, and annual independent vulnerability assessments.

Risk Assessment and Continuous Improvement

The final criterion requires VASPs to conduct regular cybersecurity risk assessments, maintain a risk register, and implement a continuous improvement cycle for their cybersecurity programme. Risk assessments must consider evolving threats specific to the VA industry (smart contract exploits, bridge attacks, oracle manipulation, key compromise scenarios) and must be updated at least annually or after significant changes.

What VARA expects: A documented risk assessment methodology, a cybersecurity risk register with risk ratings and treatment plans, evidence of at least annual risk assessment reviews, integration of threat intelligence into risk assessments, and documented improvement initiatives driven by risk assessment findings, incidents, and audit results.