Guarding against Hacks: UAE’s Cybersecurity Regulations Protecting Virtual Asset Companies and Customers

KEY TAKEAWAYS

• VARA and SCA establish stringent cybersecurity requirements, positioning the country as a global leader in safeguarding virtual asset companies.
• VARA mandates comprehensive cybersecurity policies, including robust data protection, network security, and incident response measures, ensuring a secure licensing process.
• The SCA complements VARA by enforcing layered security, encryption standards, and transparency requirements, enhancing trust and operational reliability.
• VARA’s insurance requirements ensure robust protection against cybercrime and operational risks, fostering a secure and customer-focused ecosystem for VASPs.
• With forward-thinking regulations and a commitment to innovation, the UAE offers unparalleled opportunities for virtual asset companies to thrive in a secure and commercially advantageous environment.

INTRODUCTION

The rise in cybercrime has become a concerning global trend, with hackers targeting the digital economy, including the virtual asset sector. In 2024, as per the Chainalysis Crypto Crime Report, the value of funds stolen from crypto-related crimes saw a 21.07% increase year-over-year, reaching $2.2 billion. Hacking incidents also grew from 282 in 2023 to 303 in 2024.[1]

Amid the growing alarm over such incidents, discussions about cryptocurrency hacks often lack nuance, overlooking the role of robust regulatory frameworks in mitigating these risks. The UAE’s regulated exchanges operate under stringent guidelines that impose rigorous systems and controls. Against this backdrop, the UAE stands out with its adaptive cybersecurity regulations, creating a secure and friendly environment for virtual asset service providers (“VASP“) and their customers. By mandating accountability, transparency, and compliance with advanced cybersecurity standards, the UAE’s regulations also demonstrate how thoughtful governance can address the vulnerabilities of the virtual asset ecosystem.

UAE’S VIRTUAL ASSET FRAMEWORK: INNOVATION AND REGULATION

The UAE has become a global hub for VASPs by adopting a forward-thinking regulatory framework. Regulators such as the Virtual Assets Regulatory Authority (“VARA”)[2] and the Securities and Commodities Authority (“SCA”)[3] play pivotal roles in ensuring that VASPs and exchanges operate within stringent, compliance-focused frameworks.

These frameworks mandate robust cybersecurity protocols, regular audits, and compliance checks to mitigate the risks associated with cybercrime. The UAE fosters an environment where innovation thrives without compromising security by embedding cybersecurity as a central pillar of its regulations.

Cybersecurity: A Pillar of Regulation

Recognising the escalating threat of cybercrime, UAE regulators have integrated advanced cybersecurity measures into their guidelines. These measures are designed to protect virtual asset infrastructure, safeguard client data, and enhance trust in the ecosystem. The UAE’s cybersecurity initiatives are aligned with global best practices, making it a benchmark for jurisdictions aiming to balance innovation and risk management in the virtual asset sector.

VARA’S CYBERSECURITY MEASURES

Through its rigorous cybersecurity framework, VARA has improved the UAE’s position as a global hub for VASPs. A cornerstone of this framework is the Technology and Information Rulebook,[4] which mandates VASPs to develop and maintain a comprehensive Cybersecurity Policy.[5]

This policy, a critical component of VARA’s licensing process and ongoing operational compliance, protects electronic systems and client data. It must be submitted to VARA for approval and undergo annual updates under the oversight of a chief information security officer.

Key Components of the Cybersecurity Policy

VARA mandates that each Cybersecurity Policy addresses the following critical areas:

(a) Information Security and Data Governance: Implementing robust controls to protect client data and ensure compliance with relevant laws.

(b) Access Controls: Introducing multi-factor authentication, session management, and protocols for transaction authorisation, particularly after changes to client details.

(c) Incident Response: Develop strategies for ransomware attacks, root cause analysis, and rectification to prevent recurrence.

(d) Vendor and Third-Party Management: Assessing risks associated with service providers and external dependencies.

(e) Infrastructure and System Security: Establishing hardware and network security protocols, including firewalls and lockdown standards.

(f) Client Authentication and Privacy: Ensuring secure methods for data transfer and minimising risks of unauthorised access or information leakage.

(g) Governance Framework: Crafting escalation procedures to address emergency incidents effectively.

Insurance Requirements

VASPs must secure insurance policies specifically designed to align with the nature and scale of their operations. These include: [6]

(a) Professional Indemnity Insurance: Covers liabilities arising from professional errors, omissions, or negligence, safeguarding businesses from legal and financial repercussions.[7]

(b) Directors’ and Officers’ Insurance: Provides personal liability protection for directors and officers, covering decisions made in their official capacities.[8]

(c) Commercial Crime Insurance: Protects virtual assets stored in hot wallets against cybercrime, theft, and fraud risks.[9]

The insurance requirement, especially Commercial Crime Insurance, protects consumers from losing their assets if a regulated exchange or VASP is hacked or experiences theft. With this coverage in place, VARA ensures that consumers are safeguarded and do not bear the financial impact of such incidents.

SCA’S CYBERSECURITY MEASURES

The SCA has also implemented rigorous cybersecurity requirements, underscoring the UAE’s commitment to being a secure and competitive hub for virtual asset businesses. These measures reflect the SCA’s focus on operational integrity and investor protection.

Key Components of the SCA’s Requirements

(a) Network Security: VASPs must adopt robust network security protocols, including firewalls, multi-factor authentication, and data encryption at rest and in transit.[10] Regular system updates and third-party audits of the IT infrastructure[11] are mandated to address vulnerabilities and minimise risks of breaches or operational disruptions.

(b) Layered Security Approach: The SCA emphasises a multi-layered security framework, ensuring no single point of failure exists.[12] This is particularly critical for entities like virtual asset custodians and multi-trading facilities, where client funds and sensitive data require exceptional protection.

(c) Stringent Encryption Standards: Private keys and other sensitive data must be safeguarded using advanced protocols that adhere to international standards.[13]

(d) Incident Management and Reporting: The SCA mandates logging and documenting security incidents, requiring detailed root cause analyses and mitigation strategies to prevent recurrence.[14]

Insurance Requirements

In July 2024, the SCA introduced new guidelines to regulate virtual assets and VASPs.[15] While the SCA does not mandate insurance for VASPs, the guidelines underscore the role of insurance as a secondary line of defence. It suggests that businesses must prioritise establishing comprehensive mechanisms to address actual and potential risks associated with their operations. A recent article published by TLP Advisors provides a detailed analysis of the SCA’s guidelines on the virtual asset industry.[16]

HOW TLP ADVISORS CAN ASSIST?

At TLP Advisors, we are a forward-thinking consulting, strategy, and law firm specialising in solutions for the financial services, gaming, Web3, and emerging tech sectors. With deep expertise in these industries, we provide tailored support to address their unique challenges.

Our team has recently assisted a client with reviewing various policies and addressing the gaps list for their licensing application with VARA (please read our published case study here).[17] We also helped another client draft their policies and licensing application from scratch for VARA (please read our published case study here).[18] We are also assisting a client in obtaining a VASP licence under SCA.

Furthermore, if you have experienced hacks or thefts, we have previously helped several clients recover their funds from regulated exchanges. Our expertise in navigating these issues can support you in similar situations.

CONCLUSION

The UAE is the ideal jurisdiction for licensing virtual asset companies, offering a secure, forward-thinking environment that ensures peace of mind for investors and businesses alike. With comprehensive cybersecurity regulations under VARA and the SCA, the UAE leads the world in virtual asset security, effectively addressing emerging cybercrime and crypto-crime challenges. These robust frameworks and mandatory insurance safeguards provide a solid foundation for long-term success and growth.

***

TLP Advisors has consistently been the firm of choice for L1 chains, DeFi protocols, gaming companies, fintech and payment companies, foundations, funds, and investors. We have built a reputation for excellence through frequent collaborations with regulators, funds, and technology incubators. Our deep understanding of the intricate regulatory landscapes and industry dynamics allows us to provide strategic guidance and innovative solutions that empower our clients to navigate complex challenges and seize emerging opportunities.

www.techlawpolicy.com.

***

[1] Chainalysis, ‘Crypto Hacking: $2.2 Billion Stolen in 2024’ (2024) https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/

[2] VARA’s jurisdiction governs licensing, and supervision of virtual assets within Dubai, including free zones such as the Dubai International Financial Centre (“DIFC”). It covers activities like trading, issuance, and custody, ensuring compliance, and investor protection.

[3] The SCA regulates securities, commodities, and financial markets within the UAE, ensuring market integrity and investor protection. It covers activities like trading, issuance, and brokerage, excluding areas like the DIFC.

[4] VARA, Technology and Information Rulebook https://rulebooks.vara.ae/rulebook/technology-and-information-rulebook.

[5] Virtual Assets Regulatory Authority, B. Cybersecurity Policy https://rulebooks.vara.ae/rulebook/b-cybersecurity-policy.

[6] Clause 1, Section D, Part 6, Company Rulebook, https://rulebooks.vara.ae/rulebook/company-rulebook.

[7] Virtual Assets Regulatory Authority, ‘Part VI – Capital and Prudential Requirements: D. Insurance’ (2024), Article 1(a) https://rulebooks.vara.ae/rulebook/d-insurance?form=MG0AV3.

[8] Virtual Assets Regulatory Authority, ‘Part VI – Capital and Prudential Requirements: D. Insurance’ (2024), Article 1(b) https://rulebooks.vara.ae/rulebook/d-insurance?form=MG0AV3.

[9] Virtual Assets Regulatory Authority, ‘Part VI – Capital and Prudential Requirements: D. Insurance’ (2024), Article 1(c) https://rulebooks.vara.ae/rulebook/d-insurance?form=MG0AV3.

[10] UAE Securities and Commodities Authority, Appendix 7, para 13 (1), ‘Section 3: Business Practice’ (2024) www.sca.gov.ae/assets/357e6fa1/section3-business-practice-2024.aspx and Paragraph 35 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[11] Paragraph 34 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[12] UAE Securities and Commodities Authority, Appendix 7, para 13 (3), ‘Section 3: Business Practice’ (2024) www.sca.gov.ae/assets/357e6fa1/section3-business-practice-2024.aspx

[13] UAE Securities and Commodities Authority, Appendix 7, para 13 (6), ‘Section 3: Business Practice’ (2024) www.sca.gov.ae/assets/357e6fa1/section3-business-practice-2024.aspx

[14] UAE Securities and Commodities Authority, Appendix 7, para 13 (7), ‘Section 3: Business Practice’ (2024) www.sca.gov.ae/assets/357e6fa1/section3-business-practice-2024.aspx

[15] Paragraph 97 of the Guidelines for Regulation of Virtual Assets and Virtual Assets Services Providers.

[16] Soham Jethani, et. al, SCAnning VASPs: Guidelines for Regulation of Virtual Assets and Virtual Asset Service Providers, TLP Advisors (08 August 2024), https://techlawpolicy.com/2024/08/scanning-vasps-guidelines-for-regulation-of-virtual-assets-and-virtual-asset-service-providers/#_edn30.

[17] Soham Jethani, et. al., Case Study: Addressing Gaps Lists for a Successful Licensing Process, TLP Advisors (24 December 2024), https://techlawpolicy.com/2024/12/case-study-addressing-gaps-lists-for-a-successful-licensing-process/.

[18] Soham Jethani, et. al, Case Study: Efficient and Comprehensive Licensing Support for Regulatory Compliance, TLP Advisors (26 November 2024), https://techlawpolicy.com/2024/11/case-study-efficient-and-comprehensive-licensing-support-for-regulatory-compliance/.