Entire Act

2.4. Technology resources

2.4.1. Sufficient resources

In addition to appropriate systems, resources and controls, a Digital Asset Trading Facility Operator must have sufficient technology resources to continually operate, maintain, and supervise its facility.

2.4.2. Confidentiality

A Digital Asset Trading Facility Operator must take reasonable steps to ensure that its information, records and data are secure, and the confidentiality is maintained.

2.4.3. Cyber-security

A Digital Asset Trading Facility Operator must take reasonable steps to ensure that its IT systems are reliable and adequately protected from external attack or incident, as well as from risks that can arise from inadequacies or failures in the Digital Asset Trading Facility Operator’s processes and systems and, as appropriate, the systems of third-party suppliers, agents and others. This includes the fact that a Digital Asset Trading Facility Operator must ensure there are the necessary resources in place to manage these risks.

2.4.4. Cyber-security policy

(1) A Digital Asset Trading Facility Operator must implement a written cyber-security policy setting forth its policies and procedures for the protection of its electronic systems, Members and counterparty data stored on those systems, which must be reviewed and approved by the Digital Asset Trading Facility Operator’s Board of Directors at least on an annual basis.

(2) The cyber-security policy must, as a minimum, address the following areas:

(a) information security;

(b) data governance and classification;

(c) access controls;

(d) business continuity and disaster recovery planning and resources;

(e) capacity and performance planning;

(f) appropriateness of systems (including the allocation of responsibilities between internal IT functions and reliance on third party systems);

(g) systems operations and availability concerns;

(h) systems and network security;

(i) systems and application development and quality assurance;

(j) physical security and environmental controls;

(k) customer data privacy;

(l) vendor and third-party service provider management;

(m) incident response; and

(n) arrangements and methods for periodically reviewing and evaluating the effectiveness of the systems.

(3) A Digital Asset Trading Facility Operator must inform the AFSA immediately if it becomes aware, or has reasonable grounds to believe, that a significant breach by any Person of its cyber-security policy may have occurred or may be about to occur.

(4) A Digital Asset Trading Facility Operator must consider the impact of any outsourcing arrangements, as well as the interoperability risks when dealing with systems and software provided by third parties.

(5) A Digital Asset Trading Facility Operator must ensure all staff receive appropriate training in relation to cybersecurity.

2.4.5. On-going monitoring

For the purposes of meeting the requirement in DAA 2.4.1, a Digital Asset Trading Facility Operator must have adequate procedures and arrangements for the evaluation, selection and on-going maintenance and monitoring of IT systems. Such procedures and arrangements must, at a minimum, provide for:

(a) incident and problem management and system change;

(b) testing IT systems before live operations in accordance with the requirements in DAA 2.4.6. and 2.4.7;

(c) real time monitoring and reporting on system performance, availability and integrity; and

(d) adequate measures to ensure:

(i) the IT systems are resilient and not prone to failure;

(ii) business continuity in the event that an IT system fails;

(iii) protection of the IT systems from damage, tampering, misuse or unauthorised access; and

(iv)  the integrity of data forming part of, or being processed through, IT systems.

2.4.6. Testing of technology systems

A Digital Asset Trading Facility Operator must, before commencing live operation of its IT systems or any updates thereto, use development and testing methodologies in line with internationally accepted testing standards in order to test the viability and effectiveness of such systems. For this purpose, the testing must be adequate for the Digital Asset Trading Facility Operator to obtain reasonable assurance that, as a minimum, the systems:

(a)  enable it to comply with all the applicable requirements on an on-going basis;

(b)  can continue to operate effectively in stressed market conditions;

(c)  have sufficient electronic capacity to accommodate reasonably foreseeable volumes of messaging and orders;

(d) are adequately scalable in emergency conditions that might threaten the orderly and proper operations of its facility; and

(e)  embed any risk management controls, such as generating automatic error reports, which work as intended.

2.4.7. Testing relating to Members’ technology systems

(1) A Digital Asset Trading Facility Operator must implement standardised conformance testing procedures. A Digital Asset Trading Facility Operator must ensure that the systems which its Members are using to access facilities operated by it have a minimum level of functionality that is compatible with its IT systems and will not pose any threat to fair and orderly conduct of its facility.

(2) A Digital Asset Trading Facility Operator must also require its Members, before commencing live operation of any electronic trading system, user interface or a trading algorithm, including any updates to such arrangements, to use adequate development and testing methodologies to test the viability and effectiveness of their systems, to include system resilience and security.

(3) The requirements in (1) and (2) do not apply to the Member of a Digital Asset Trading Facility Operator if the Member is a Body Corporate or an individual (natural person) that carries out the activity solely as principal.

2.4.8. Regular review of systems and controls

(1) A Digital Asset Trading Facility Operator must undertake at least an annual review of its IT systems and controls as appropriate to the nature, scale and complexity of its operations, the diversity of its operations, the volume and size of transactions, and the level of risk inherent with its business

(2)  For the purposes of (1), a Digital Asset Trading Facility Operator must adopt well defined and clearly documented development and testing methodologies which are in line with internationally accepted testing standards.

(3) After the review is complete, a Digital Asset Trading Facility Operator must promptly remedy any deficiencies discovered during the review and keep a record of the review and its findings for a period of 6 years from the review. This record must be provided promptly to the AFSA on request.

2.4.9. Mandatory third-party audit of technology governance and IT systems

(1) A Digital Asset Trading Facility Operator is required to undergo a qualified independent third-party technology governance and IT audit to conduct vulnerability assessments and penetration testing at least on an annual basis.

(2) A Digital Asset Trading Facility Operator must provide the results of technology governance and IT assessments and tests to the AFSA on its request.

(3) The AFSA may publish a list of requirements that should be met by qualified auditors who conduct independent third-party technology governance and IT audit.

 

Guidance:

Credentials which indicate a qualified independent third-party auditor is suitable to conduct audit of technology governance and IT systems may include:

(1) designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA); or

(2) designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC); or

(3) accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards; or

(4) accreditation by the relevant body to certify compliance with the Kazakhstani standards in the area of information (cyber) security.

2.4.10. Systems and controls

(1) A Digital Asset Trading Facility Operator must ensure that it has appropriate systems and controls to address the risks to its business. Such systems and controls should be developed considering such factors as the nature, scale and complexity of the Digital Asset Trading Facility Operator’s business, the diversity of its operations, the volume and size of transactions, and the level of risk inherent with its business.

(2) A Digital Asset Trading Facility Operator must, as a minimum, have in place systems and controls with respect to the procedures describing the creation, management and control of Digital wallets and private keys, as well as the infrastructure to deal with updates and technological changes such as forks.

(3) A Digital Asset Trading Facility Operator must have adequate systems and controls to enable it to calculate and monitor its capital resources and its compliance with the requirements in DAA 2.2.(2). The systems and controls must be in writing and must be appropriate for the nature, scale and complexity of the Digital Asset Trading Facility Operator’s business and its risk profile.

(4) A Digital Asset Trading Facility Operator must have due regard to its obligations to keen data secure, including the safe storage and transmission of data in accordance with clear protocols.

2.4.11. Technology governance

A Digital Asset Trading Facility Operator must, as a minimum, have in place systems and controls with respect to the following:

(a) Procedures describing the creation, management and controls of Digital wallets, including:

(i) wallet setup/configuration/deployment/deletion/backup and recovery;

(ii) wallet access management;

(iii) wallet user management;

(iv) wallet rules and limit determination, review and update; and

(v) wallet audit and oversight.

(b) Procedures describing the creation, management and controls of private and public keys, including, as applicable:

(i) private key generation;

(ii) private key exchange;

(iii) private key storage;

(iv) private key backup;

(v) private key destruction;

(vi) private key access management;

(vii) public key sharing; and

(viii) public key re-use.

(c) Systems and controls to mitigate the risk of misuse of Digital Assets and money laundering and terrorist financing risks, setting out how:

(i) the origin of Digital Assets is determined, in case of an incoming transaction; and

(ii) the destination of Digital Assets is determined, in case of an outgoing transaction.

(d) A security plan describing the security arrangements relating to:

(i) the privacy of sensitive data;

(ii) networks and systems;

(iii) cloud based services;

(iv) physical facilities; and

(v) documents, and document storage.

(e) A risk management plan containing a detailed analysis of likely risks with both high and low impact, as well as mitigation strategies. The risk management plan must cover, but is not limited to:

(i) operational risks;

(ii) technology risks, including ‘hacking’ related risks;

(iii) market risk for each Digital Asset; and

(iv) risk of Financial Crime.