Why This Checklist Matters More in 2026 Than It Did in 2025
The virtual asset landscape in the UAE shifted permanently in February 2026. The Bybit hack — a $1.5 billion loss in a single coordinated attack — was not a failure of technology alone. It was a failure of the governance, testing, and monitoring controls that exist precisely to catch what technology misses. For UAE virtual asset service providers (VASPs) operating under the Virtual Assets Regulatory Authority (VARA), that distinction matters enormously.
VARA's cybersecurity framework was designed with exactly this class of threat in mind. It mandates controls that go far beyond perimeter security and standard vulnerability scanning. It requires adversarial testing, cryptographic key governance, on-chain monitoring, board-level accountability, and incident response capabilities that can operate under real attack conditions — not just in tabletop exercises.
As VARA moves into its 2026 supervisory cycle, the question for every licensed VASP and every firm in the licensing pipeline is not whether you have a cybersecurity programme. It is whether your cybersecurity programme meets VARA's specific requirements — and whether you can prove it.
This checklist covers every major control domain VARA expects. Use it to assess your current posture honestly. The gaps you find now are far less costly than the gaps VARA finds during a supervisory review.
1. Governance and Board Accountability
VARA places cybersecurity accountability at the board level. This is not a compliance formality — it directly shapes what your cybersecurity programme must be able to demonstrate to the regulator.
- Board-approved cybersecurity policy: Your organisation must have a documented, board-approved cybersecurity policy that is reviewed at least annually. The policy must reflect the specific risks of virtual asset operations, not a generic information security template.
- CISO or equivalent appointment: VARA expects a named, accountable individual responsible for cybersecurity. For firms that cannot justify a full-time CISO, a Virtual CISO (vCISO) engagement with documented scope and accountability is an accepted and increasingly common model in the UAE market. The key requirement is that the role is real, documented, and operationally active — not a title on an organogram.
- Cybersecurity risk reporting to board: Your board must receive regular cybersecurity risk reports. VARA expects this to be a standing agenda item, with documented minutes demonstrating that the board has reviewed, challenged, and acknowledged cybersecurity risk.
- Third-party and vendor risk management: VARA requires documented processes for assessing and monitoring the cybersecurity posture of critical third-party vendors — including custodians, wallet providers, exchange integrations, and cloud infrastructure providers.
Common gap: Many VASPs have the policy documentation but cannot demonstrate active board engagement. VARA examiners look for evidence of genuine oversight, not paper compliance.
2. Threat-Led Penetration Testing (TLPT)
TLPT is one of the most operationally demanding requirements in VARA's cybersecurity framework — and the one most commonly misunderstood or inadequately implemented.
- TLPT is not a standard penetration test: A conventional penetration test scopes a defined set of systems, follows a structured methodology, and produces a findings report. TLPT is adversarial simulation — it mirrors the techniques, tactics, and procedures of real threat actors targeting virtual asset businesses specifically. The Bybit attacker, for example, exploited a front-end interface manipulation technique that most standard penetration tests would not simulate.
- Scope must cover the full attack surface: VARA TLPT scope includes transaction authorisation flows, multi-signature signing environments, wallet management systems, API layers, internal network access paths, and — critically — the interfaces between front-end applications and smart contract-based back-end systems.
- Frequency: VARA expects TLPT to be conducted at a frequency commensurate with the risk profile of the operation. For active trading platforms and OTC brokers, annual TLPT is the baseline expectation. Significant infrastructure changes trigger ad-hoc requirements.
- Regulator-defensible reporting: The output of a VARA TLPT engagement must be structured for regulatory submission. This means executive-level risk summaries, technical findings with CVSS scoring, remediation timelines, and evidence of management sign-off — not just a technical report written for the security team.
Common gap: Firms commissioning standard penetration tests and presenting them as TLPT compliance. VARA's framework distinguishes between the two explicitly, and examiner scrutiny of TLPT documentation is increasing in 2026.
3. Cryptographic Key Governance
For virtual asset businesses, cryptographic key governance is not an IT security control — it is the core of the business. Loss of keys or compromise of signing environments means direct, irreversible loss of client assets.
- Key generation and storage: VARA requires documented, audited processes for cryptographic key generation, including entropy sources, hardware security module (HSM) usage, and physical security controls for key ceremony environments.
- Hot and cold wallet architecture: Your wallet architecture must be documented, risk-justified, and subject to regular review. The split between hot and cold storage, the thresholds for each, and the controls governing movement between them must all be formally documented and tested.
- Multi-signature governance: Where multi-signature schemes are used, VARA expects documented controls covering quorum requirements, signer verification procedures, and — critically — controls to detect and prevent the class of front-end manipulation attack that compromised Bybit's signing environment.
- Key rotation and recovery: Documented, tested procedures for key rotation and emergency key recovery. Recovery procedures must have been tested under realistic conditions — not just documented theoretically.
- Access controls and segregation of duties: No single individual should have unilateral access to keys or the ability to authorise transactions above defined thresholds. VARA expects segregation of duties controls to be implemented and audited.
Common gap: Recovery procedures that exist on paper but have never been tested. VARA will ask for evidence of testing, not just documentation.
4. Incident Response and 72-Hour Notification
VARA's 72-hour incident notification requirement is one of the most operationally demanding timelines of any UAE regulatory framework. Meeting it under real attack conditions requires preparation that goes far beyond having a policy document.
- Incident response plan: A documented IRP that covers detection, containment, eradication, recovery, and post-incident review — specifically calibrated to the incident scenarios relevant to virtual asset operations: exchange compromise, wallet draining, ransomware, insider threat, and API abuse.
- Runbooks for priority scenarios: Pre-built, tested runbooks for the highest-probability incident types. During an active incident, your team should be executing a tested procedure, not writing one.
- VARA notification procedure: A documented, tested procedure for the 72-hour VARA notification — including who is responsible, what information must be included, and how that information is assembled and communicated under incident conditions.
- Retainer with incident response capability: VARA expects access to qualified incident response capability. In-house teams are acceptable for firms of sufficient scale; for most VASPs, an external IR retainer with documented SLAs is the practical approach.
- Post-incident review and regulatory reporting: After a material incident, VARA expects a formal post-incident review report and ongoing regulatory engagement until the incident is closed. This process must be documented and assigned.
Common gap: IRPs that have never been exercised. VARA examiners will ask when the plan was last tested and what the outcomes were. An untested IRP is not a control.
5. On-Chain and Transaction Monitoring
Standard security monitoring does not extend to the blockchain layer. VARA expects VASPs to have monitoring capabilities that cover on-chain activity — not just network and endpoint telemetry.
- Transaction anomaly detection: Real-time monitoring for transaction patterns that deviate from baseline behaviour — unusual transaction sizes, rapid sequential transactions, destination wallet risk scoring, and cross-chain bridge activity.
- Wallet address screening: Integration with blockchain analytics tools to screen counterparty wallet addresses against sanctions lists, known illicit addresses, and high-risk clusters before transaction execution.
- KYT (Know Your Transaction) integration: Ongoing transaction monitoring aligned with VARA's AML/CFT requirements. KYT is not a separate compliance function — it is operationally integrated with cybersecurity monitoring because the attack vectors for financial crime and cybersecurity incidents overlap significantly.
- Alert thresholds and escalation procedures: Documented thresholds for automated alerts, with clear escalation paths to security, compliance, and senior management.
Common gap: Treating KYT as a compliance function managed separately from cybersecurity. VARA's framework treats them as integrated — and the Bybit hack demonstrated why: the attack exploited the transaction layer, which is where both cybersecurity and AML controls must operate.
6. Smart Contract and Blockchain-Layer Security
For VASPs operating DeFi integrations, tokenised products, or smart contract-based settlement systems, blockchain-layer security is a VARA requirement — not an optional advanced control.
- Smart contract audits: All smart contracts used in production must be audited by qualified, independent security researchers before deployment. EVM audit methodology must cover reentrancy, integer overflow, access control, oracle manipulation, and front-running vulnerabilities.
- Ongoing monitoring for protocol changes: DeFi protocol integrations must be monitored for upstream changes, governance proposals, and emergency protocol actions that could affect your exposure.
- Bridge and cross-chain exposure assessment: Where cross-chain bridges are used, documented risk assessment and ongoing monitoring of bridge security posture.
Common gap: VASPs that integrate with DeFi protocols or use smart contract-based custody without formal audit coverage. VARA's examiner questions in this area are becoming more technically specific in 2026.
7. Business Continuity and Operational Resilience
- Business Continuity Plan (BCP) covering cyber scenarios: Your BCP must explicitly address cyber-originated disruption scenarios — not just physical or infrastructure failures. Recovery time objectives for critical systems must be documented and tested.
- DR testing: Disaster recovery procedures must have been tested within the past 12 months. Test evidence must be documented and available for regulatory review.
- Critical system identification: VARA expects a documented register of critical systems with recovery priority classifications and dependency mapping.
Where Most UAE VASPs Have Gaps — And Why Generic Crypto Defense Doesn't Close Them
The cybersecurity market in the UAE has seen a wave of new entrants claiming to serve the virtual asset sector. Generic crypto defense products — however well-engineered — address the technology layer. What VARA's framework requires goes substantially further: it requires governance evidence, regulatory documentation, TLPT methodology aligned to VARA's specific framework, and the kind of deep UAE regulatory engagement that only comes from years of direct VARA interaction.
ITSEC has been delivering cybersecurity services to UAE-regulated organisations since 2011. We have supported businesses through the requirements of nine UAE regulators — VARA, DFSA, CBUAE, ADGM, DHA, GCGRA, SCA, DESC, and ADHICS. Our VARA TLPT engagements are designed to VARA's specific framework requirements, not adapted from a generic red team methodology. Our blockchain security team conducts EVM smart contract audits, DeFi protocol risk assessments, and cross-chain bridge exposure analysis.
Critically, ITSEC operates alongside SecureVisa Group (SVG) — meaning that for firms navigating the VARA licensing process, the cybersecurity requirements and the licensing requirements are handled by a single integrated team. That integration eliminates the coordination gap that costs firms time and creates compliance risk when cybersecurity and licensing advisors are working from different playbooks.
Use This Checklist Now — Not After Your Next VARA Review
Work through each section against your current programme. For each item, ask not just whether the control exists, but whether it is documented, tested, and capable of withstanding examiner scrutiny. The gap between having a control and being able to demonstrate a control to VARA is where most enforcement risk lives.
If you identify material gaps — particularly in TLPT, key governance, or incident response — the time to address them is before VARA's next supervisory cycle, not during it.
ITSEC provides VARA TLPT design and execution, smart contract security audits, blockchain security assessments, vCISO services, and integrated VARA compliance support. If you want a structured gap assessment against this checklist, contact our team to arrange a VARA cybersecurity posture review.
