| 1. | Digital operational resilience test standard: To achieve a high level of digital operational resilience, VASPs are expected to carry out digital operational resilience testing including, but not limited to—
| a. | establishing and maintaining a sound and comprehensive digital operational resilience testing programme, including a range of assessments, tests, methodologies, practices and tools as set out below in paragraph 2; | | b. | identifying weaknesses, deficiencies and gaps in digital operational resilience and promptly implementing corrective measures; | | c. | when conducting the digital operational resilience testing programme, VASPs should follow a risk-based approach taking into account any specific risks to which the VASP is or might be exposed, the criticality of assets and of services provided by or to the VASP, as well as any other material risk factor; | | d. | ensuring that tests are undertaken by independent external parties; | | e. | classifying and remedying all issues revealed throughout the performance of the tests and establishing internal validation processes to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed; and | | f. | ensuring that appropriate tests are conducted at least yearly on all systems and applications supporting Critical or Important Functions.
|
|