Main
>
Legal Framework
>
3.4. Technology governance, controls and security
FINANCIAL SERVICES LEGISLATION
RULES
AIFC RULES ON DIGITAL ASSET ACTIVITIES
3. RULES APPLICABLE TO DIGITAL ASSET SERVICE PROVIDERS
3.1. Authorisation of Digital Asset Service Providers
3.2. Requirements for Digital Asset Service Providers
3.12. Prohibitions
3.14. AFSA power to impose requirements
Entire Act

3.4. Technology governance, controls and security

3.4.1. Systems and controls

(1) A Digital Asset Service Provider must ensure that it implements systems and controls necessary to address the risks, including cybersecurity-related risks, to its business. The relevant systems and controls should take into account such factors that include but are not limited to the nature, scale and complexity of the Digital Asset Service Provider’s business, the diversity of its operations, the volume and size of transactions made using its facilities and the level of risk inherent with its business and activities.

(2) A Digital Asset Service Provider must have adequate systems and controls to enable it to calculate and monitor its capital resources and its compliance with the requirements in DAA 3.2. The systems and controls must be in writing and must be appropriate for the nature, scale and complexity of the Digital Asset Service Provider’s business and its risk profile.

3.4.2. Technology governance and risk assessment framework

(1) A Digital Asset Service Provider must implement a technology governance and risk assessment framework which must be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in its business model.

(2) The technology governance and risk assessment framework must apply to all technologies relevant to a Digital Asset Service Provider’s business and clearly set out the Digital Asset Service Provider’s cybersecurity objectives, including the requirements for the competency of its relevant Employees and, as relevant, end users and Clients, and there must be in place clearly defined systems and procedures necessary for managing risks.

(3) A Digital Asset Service Provider must ensure that its technology governance and risk assessment is capable of determining the necessary processes and controls that it must implement in order to adequately mitigate any risks identified. In particular, a Digital Asset Service Provider must ensure that its technology governance and risk assessment framework includes consideration of international standards and industry best practice codes.

(4) A Digital Asset Service Provider must ensure that its technology governance and risk assessment framework incorporates appropriate governance policies and system development controls, such as a development, maintenance and testing process for technology systems and operations controls, back-up controls, capacity and performance planning and availability testing.

 

 

3.4.3. Cyber-security matters

A Digital Asset Service Provider must take reasonable steps to ensure that its IT systems are reliable and adequately protected from external attack or incident, as well as from risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems of third-party suppliers, agents and others). A Digital Asset Service Provider must ensure there are the necessary resources in place to manage these risks..

3.4.4. Cyber-security policy

(1) A Digital Asset Service Provider must create and implement a policy which outlines its procedures for the protection of its electronic systems.

(2) A Digital Asset Service Provider must ensure that its cyber-security policy is reviewed at least on an annual basis by its Chief Information Technology Officer, and that such review is provided to the Board of Directors.

(3) The cyber-security policy must, as a minimum, address the following areas:

(a) information security;

(b) data governance and classification;

(с) access controls;

(d) business continuity and disaster recovery planning and resources;

(e) capacity and performance planning;

(f) systems operations and availability concerns;

(g) systems and network security, consensus protocol methodology, code and smart contract validation and audit processes;

(h) systems and application development and quality assurance;

(i) physical security and environmental controls, including but not limited to procedures around access to premises and systems;

(j) customer data privacy;

(k) procedures regarding facilitation of Digital Asset transactions initiated by a Client including, but not limited to, considering multi-factor authentication or any better standard for Digital Asset transactions that—

(i) exceed transaction limits set by the Client, such as accumulative transaction limits over a period of time; and

(ii) are initiated after a material change of personal details by the Client, such as the address of a Digital wallet;

(l) procedures regarding Client authentication and session controls including, but not limited to, the maximum number of incorrect attempts permitted for entering a password, appropriate time-out controls and password validity periods;

(m) procedures establishing adequate authentication checks when a change to a Client’s account information or contact details is requested;

(n) vendor and third-party service provider management;

(o) monitoring and implementing changes to core protocols not directly controlled by the Digital Asset Service Provider, as applicable;

(p) incident response, including but not limited to, root cause analysis and rectification activities to prevent reoccurrence;

(q) governance framework and escalation procedures for effective decision-making and proper management and control of risks and emergency incidents, including but not limited to responses to ransomware and other forms of cyberattacks; and

(r) hardware and infrastructure standards, including but not limited to network lockdown, services/desktop security and firewall standards.

(4) A Digital Asset Service Provider must consider the impact of any outsourcing arrangements, as well as the interoperability risks when dealing with systems and software provided by third parties, where applicable.

(5) A Digital Asset Service Provider must ensure all staff receive appropriate training in relation to cybersecurity.

(6) A Digital Asset Service Provider must inform the AFSA as soon as practicable if it becomes aware, or has reasonable grounds to believe, that a significant breach by any Person of its cyber-security may have occurred.

3.4.5. Cryptographic keys and Digital wallets management procedure

(1) A Digital Asset Service Provider must ensure that its cryptographic keys and Digital wallets management procedure addresses, to the extent necessary, the generation of cryptographic keys and Digital wallets, the signing and approval of transactions, the storage of cryptographic keys and seed phrases, and Digital wallets creation and management thereof.

(2) A Digital Asset Service Provider must:

(a) safeguard access to Digital Assets in accordance with industry best practices and, in particular, ensure that there is no single point of failure in the Digital Asset Service Provider’s access to, or knowledge of, Digital Assets held by the Digital Asset Service Provider;

(b) adopt industry best practices for storing the private keys of Clients, including ensuring that keys stored online or in one physical location are not capable of being used to conduct a Digital Asset transaction, unless appropriate controls are in place to ensure that access by an unauthorised individual is insufficient to conduct a transaction;

(c) ensure that backups of the key and seed phrases are stored in a separate location from the primary key or seed phrase;

(d) adopt strict access management controls to manage access to keys, including an audit log detailing each change of access to keys; and

(e) adopt procedures designed to be able to immediately revoke a key signatory’s access.

(3) A Digital Asset Service Provider must:

(a) ensure that the key generation process ensures that revoked signatories do not have access to the backup seed phrase or knowledge of the phrase used in the key’s creation;

(b) perform internal audits on a quarterly basis concerning the removal of user access by reviewing access logs and verifying access as appropriate;

(c) implement and maintain a procedure for documenting the onboarding and offboarding of staff;

(d) implement and maintain a procedure for documenting a Digital Asset Service Provider’s permission to grant or revoke access to each role in its key management system; and

(e) regularly assess the security of its IT systems or software integrations with external parties and ensure that the appropriate safeguards are implemented in order to mitigate all relevant risks.

(4) A Digital Asset Service Provider should provide information to Clients on measures they can take to protect their keys or seed phrases from misuse or unauthorised access, and the consequences of sharing their private keys and other security information.

(5) A Digital Asset Service Provider must ensure that access to its systems and data may only be granted to individuals with a demonstrable business need and implement safeguards to ensure the proper identification of all individuals, including the maintenance of an access log.

3.4.6. On-going monitoring

For the purposes of meeting the requirement in DAA 3.4.1, a Digital Asset Service Provider must have adequate procedures and arrangements for the evaluation, selection and on-going maintenance and monitoring of its IT systems. Such procedures and arrangements must, at a minimum, provide for:

(a) problem management and system change;

(b) testing IT systems before live operations in accordance with the requirements in DAA 3.4.7;

(c) real time monitoring and reporting on system performance, availability and integrity; and

(d) adequate measures to ensure:

(i) IT systems are resilient and not prone to failure;

(ii) business continuity in the event that an IT system fails;

(iii) protection of IT systems from damage, tampering, misuse or unauthorised access; and

(iv)  the integrity of data forming part of, or being processed through, IT systems.

3.4.7. Testing and audit of technology systems

(1) A Digital Asset Service Provider must, before commencing live operation of its IT systems or any updates thereto, use development and testing methodologies in line with internationally accepted testing standards in order to test the viability and effectiveness of such systems. For this purpose, the testing must be adequate for the Digital Asset Service Provider to obtain reasonable assurance that, among other things:

(a)  the systems enable it to comply with all the applicable requirements on an on-going basis;

(b)  the systems can continue to operate effectively in stressed market conditions;

(c)  the systems have sufficient electronic capacity to accommodate reasonably foreseeable volumes of messaging and orders; and

(d)  any risk management controls embedded within the systems, such as generating automatic error reports, work as intended.

(2) A Digital Asset Service Provider must to undergo a qualified independent third-party technology governance and IT audit to conduct vulnerability assessments and penetration testing at least on an annual basis.

(3) A Digital Asset Service Provider must engage a qualified independent third-party auditor to audit any new systems, applications and products prior to their use.

(4) A Digital Asset Service Provider must provide the results of technology governance and IT assessments and tests to the AFSA promptly upon its request.

3.4.8. Technology audit reports

(1) This Rule applies to a Digital Asset Service Provider that:

(a) holds or controls Digital Assets;

(b) relies on DLT or similar technology to carry on one or more of the following Regulated Activities in relation to Digital Assets:

(i) Dealing in Investments as Principal;

(ii) Dealing in Investments as Agent;

(iii) Arranging Deals in Investments;

(iv) Managing Investments;

(v) Advising on Investments;

(vi) Providing Custody; or

(vii) Arranging Custody; or

(viii) is Managing a Collective Investment Scheme where 10% or more of the gross asset value of the Fund Property of the Fund consists of Digital Assets.

(2) The Authorised Firm must:

(a) appoint a suitably qualified independent third-party professional to:

(i) carry out an annual audit of the Authorised Firm’s compliance with the technology resources and governance requirements that apply to it; and

(ii) produce a written report which sets out the methodology and results of that annual audit, confirms whether the requirements referred to in DAA 3.4.7 have been met and lists any recommendations or areas of concern;

(b) submit to the AFSA a copy of the report referred to in DAA 3.4.8. (2)(a)(ii) within 6 months of the financial year end; and

(c) be able to satisfy the AFSA that the independent third party professional appointed to carry out the annual audit has the relevant expertise to do so, and that the Authorised Firm has done proper due diligence to satisfy itself of that fact.

 

Guidance:

Credentials which indicate a qualified independent third-party auditor is suitable to conduct audit of technology governance and IT systems may include:

(1) designation as a Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM) by the Information Systems Audit and Control Association (ISACA);

(2) designation as a Certified Information Systems Security Professional (CISSP) by the International Information System Security Certification Consortium (ISC);

(3) accreditation by a recognised and reputable body to certify compliance with relevant ISO/IEC 27000 series standards; or

(4) accreditation by the relevant body to certify compliance with the Kazakhstani standards in the area of information (cyber) security.