VARA's regulatory framework is built on proportionality. This article explains how VASPs should calibrate their cybersecurity controls based on risk profile, service type, and transaction volume rather than applying a one-size-fits-all approach.
One of the defining features of Dubai's Virtual Assets Regulatory Authority framework is its risk-based approach to compliance. Unlike prescriptive regulatory models that mandate identical controls for every licensee, VARA expects organizations to demonstrate that their cybersecurity measures are proportionate to the risks they face. This sounds straightforward in principle. In practice, it requires a level of analytical rigor that most VASPs underestimate.
A risk-based approach does not mean doing less. It means demonstrating that you understand your risk landscape and have made deliberate, defensible decisions about how to address it. For a custodial exchange handling high-value transactions across multiple jurisdictions, the expected depth and sophistication of cybersecurity controls will be significantly greater than for a VASP offering advisory services with no custody of client assets.
The key variables VARA considers include the nature and complexity of virtual asset activities — whether the VASP operates an exchange, provides custody, facilitates transfers, or offers advisory services. Transaction volumes and values matter because a VASP processing millions of dollars daily faces fundamentally different risks than one handling thousands. Whether the VASP holds custody of client assets is perhaps the single most significant risk differentiator. The number of jurisdictions served affects regulatory complexity and cross-border risk. The technology stack and its exposure to external threats determine the technical attack surface. The maturity of risk management capabilities indicates whether the organization can sustain controls over time rather than just implement them for the application.
The foundation of risk-based compliance is the risk assessment itself. VARA expects this to be comprehensive, covering technology risk, operational risk, cybersecurity risk, third-party risk, and regulatory risk across the entire operational footprint.
ITSEC sees a common failure pattern: generic risk registers that list standard cyber threats — ransomware, phishing, DDoS — without connecting them to the specific operations, architecture, and asset types of the VASP. VARA reviewers identify templated assessments immediately and treat them as evidence of insufficient understanding rather than insufficient documentation.
An effective risk assessment begins by identifying the crown jewels of the organization. For a custodial exchange, this includes private key material and wallet infrastructure, the order matching engine and trade execution systems, customer KYC data and AML transaction records, price feed and oracle integrations, API gateways handling customer transactions, and hot wallet balances representing immediate financial exposure.
Threat evaluation must be specific to virtual asset operations. Generic threats like phishing and malware are relevant but insufficient. The assessment must address private key theft through insider access, social engineering, or supply chain compromise of HSM vendors. Smart contract vulnerabilities including reentrancy, integer overflow, front-running, and flash loan attacks must be evaluated if the VASP deploys or interacts with smart contracts. Oracle manipulation where compromised price feeds trigger automated actions at artificial prices represents a material risk. Blockchain-specific attacks including fifty-one percent attacks on smaller chains, transaction malleability, and bridge exploits must be considered based on the chains the VASP supports. API abuse including credential stuffing, automated account takeover, and rate limiting bypass represents a persistent operational threat.
For each identified risk, the assessment must calculate residual risk after existing controls are applied, using a consistent methodology such as likelihood multiplied by impact with defined scales. Risks above the organization's defined risk appetite must have documented treatment plans with specific controls, owners, and implementation timelines.
Once risks are identified, controls must be selected and implemented proportionately. ITSEC helps VASPs map controls to risk using established frameworks as reference points — primarily NIST Cybersecurity Framework and ISO 27001 — while tailoring to the specific requirements of virtual asset operations.
A custodial exchange with significant hot wallet exposure requires multi-signature wallet architectures with geographic distribution of signing authority, hardware security modules certified to FIPS 140-2 Level 3 for key generation and storage, real-time transaction monitoring with anomaly detection calibrated to normal operational patterns, automated circuit breakers that halt withdrawals when anomalous patterns are detected, twenty-four-seven security operations center monitoring with defined response playbooks, and segregation of duties ensuring no single individual can authorize high-value transactions.
A non-custodial advisory VASP may appropriately focus its controls on API security for any platform integrations, data protection for client information and advisory records, access control with multi-factor authentication for all staff, secure communication channels for client advisory services, and secure integration with third-party custodians and data providers.
Both approaches are valid under VARA's risk-based framework — but only if the reasoning is documented, the risk assessment supports the control selection, and the implementation matches the design.
ITSEC emphasizes to clients that the risk assessment is not a compliance document — it is a decision-making tool. The assessment should directly inform technology architecture decisions including where to segment networks, what to encrypt, and what to monitor. It should drive staffing decisions about how many security personnel are needed and what skills they require. It should shape vendor selection criteria for choosing between custodians, cloud providers, and security tools. It should determine testing priorities about what to penetration test first and how often. And it should guide investment allocation for where the security budget delivers the most risk reduction.
When VARA reviews an application, they evaluate whether the risk assessment and the security program tell a consistent story. If the risk assessment identifies private key theft as the highest risk but the security program invests more in email security than wallet infrastructure protection, the inconsistency will raise questions.
VARA's risk-based approach is not a point-in-time exercise. The regulatory expectation is that VASPs continuously monitor their risk environment and adjust controls as conditions change. This means regular reassessment of the threat landscape with documented evidence of how new threats were evaluated and addressed. Monitoring of new vulnerabilities affecting the technology stack must be active and ongoing, not dependent on periodic scanning alone. Third-party risk must be reassessed as vendor relationships evolve, including monitoring for changes in vendor security posture through continuous assessment services. Risk assessments must be updated when new products, services, or blockchain integrations are launched — each new capability changes the risk profile. Board and senior management must receive regular risk reporting that demonstrates the risk profile is understood and actively managed at the governance level.
Organizations that treat risk assessment as a static document rather than a living process will find themselves out of compliance when VARA conducts ongoing supervision reviews following initial authorization.
After reviewing dozens of VASP risk assessments, ITSEC consistently sees several patterns that lead to regulatory friction. Templated assessments purchased from compliance vendors that list generic threats without operational context are immediately identifiable. Risk scores that cluster everything as medium severity suggest the assessment methodology lacks discrimination. Missing third-party risk assessment is a gap — many VASPs assess internal risks thoroughly but fail to assess cloud providers, API integrations, and outsourced functions with the same rigor. Absence of residual risk calculation means presenting inherent risk without demonstrating how controls reduce it to acceptable levels. No connection between the risk register and the security investment plan suggests the assessment exists for compliance rather than driving genuine security decisions.
ITSEC works with VASPs to build risk assessment frameworks that satisfy VARA expectations while providing genuine operational value. Our approach combines regulatory knowledge gained from direct engagement with VARA requirements with deep technical expertise in virtual asset security architecture, blockchain analytics, and financial services cybersecurity. The result is a risk assessment that is both compliant and actionable — one that the organization actually uses to make better security decisions, not one that sits in a folder until the next audit. Contact ITSEC for a consultation on building a VARA-aligned risk assessment framework for your organization.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.