VARA demands more than security tools. This article covers how VASPs must embed technology governance into platform design, from wallet architecture and key management to change control and continuous monitoring.
Technology governance is not a compliance formality for VASPs operating under VARA — it is the structural foundation upon which regulatory confidence is built. VARA evaluates not just whether security controls exist, but whether the entire technology environment is governed with the discipline expected of a regulated financial services provider. This distinction catches many crypto-native organizations off guard.
Technology governance encompasses the policies, processes, and oversight mechanisms that ensure technology decisions are made deliberately, changes are controlled, risks are managed, and accountability is clear. For VASPs, this extends beyond traditional IT governance to include blockchain-specific considerations that have no equivalent in conventional financial services.
VARA expects VASPs to demonstrate that technology decisions are subject to formal approval processes with documented rationale. Changes to production environments must follow documented change management procedures with segregation of duties between requestor, approver, and implementer. Access to critical systems must be governed by the principle of least privilege with regular access reviews — ITSEC recommends quarterly at minimum for privileged accounts and semi-annually for standard access. Every technology operation that touches customer assets, customer data, or platform integrity must be auditable with tamper-evident logging.
The security of digital asset custody begins with wallet architecture, and this is where VARA's expectations are most stringent. ITSEC has seen applicants fail licensing reviews specifically because their wallet architecture could not demonstrate adequate controls.
Hot and cold wallet segregation must follow the principle of minimum necessary exposure. Hot wallets should hold only the liquidity required for operational processing within a defined window — ITSEC recommends no more than five percent of total assets under custody or twenty-four hours of average transaction volume, whichever is lower. The remaining assets must be in cold storage with air-gapped signing infrastructure.
Key management is the most critical cybersecurity control for any custodial VASP. Private keys must be generated within hardware security modules certified to FIPS 140-2 Level 3 or Common Criteria EAL4+ equivalent. The key generation ceremony must be formally documented and witnessed, with the ceremony record stored securely. Multi-signature schemes using at minimum a two-of-three or three-of-five configuration must be implemented for all transactions above defined value thresholds. Signing authority must be distributed across multiple individuals in different physical locations to prevent single-point-of-compromise scenarios.
Key backup and recovery is where many VASPs create unintentional vulnerabilities. Backup key material must be encrypted with separate encryption keys, stored in geographically separated secure facilities — ITSEC recommends bank-grade vault storage — and subject to the same access controls as primary key material. Recovery procedures must be tested at least quarterly with documented results. VARA may request a walkthrough of the key ceremony and recovery process during the licensing review, and they will probe for inconsistencies between documented procedures and actual practice.
Seed phrase management for HD wallets requires equivalent controls. Seed phrases must never exist in plaintext on any networked system. Shamir's Secret Sharing or equivalent threshold schemes should be used to distribute seed phrase fragments across multiple custodians with documented procedures for reconstitution.
Uncontrolled changes to production environments are a leading cause of security incidents in technology organizations, and in virtual asset platforms the consequences can be immediate financial loss. VARA expects VASPs to implement formal change management processes that would be familiar to anyone who has worked in regulated banking.
Every production change must follow a defined workflow: request with documented justification, risk assessment of the proposed change including potential security implications, testing in a non-production environment that mirrors the production architecture, approval by a designated authority who is not the requestor or implementer, implementation during a defined change window with monitoring, rollback procedures documented and tested before implementation begins, and post-implementation review confirming the change achieved its objective without unintended effects.
For VASPs deploying or updating smart contracts, additional controls are essential. Smart contract changes must undergo independent security audit by a qualified firm before deployment. Formal verification should be applied where the contract's financial value justifies the investment. Staged deployment using proxy patterns or tiered rollout limits blast radius if issues emerge post-deployment. Time-locked administrative functions prevent immediate exploitation if an administrative key is compromised — a minimum forty-eight-hour timelock on critical contract functions is standard practice.
Technology governance requires visibility, and visibility requires comprehensive monitoring infrastructure. VASPs must implement logging and monitoring that covers the entire technology estate, not just the perimeter.
Security event logging must capture authentication events including successful and failed logins across all systems, privilege escalation and administrative actions, configuration changes to any production system, all API calls to wallet and transaction systems, network traffic anomalies including unusual outbound connections, and database queries against customer data and financial records. Logs must be shipped to a centralized Security Information and Event Management platform in real-time. ITSEC recommends log retention of at minimum twelve months online and seven years in archive for regulatory compliance. Log integrity must be protected through immutable storage or cryptographic chaining — if an attacker can delete or modify logs, the entire monitoring infrastructure is compromised.
Real-time alerting must be configured for critical events including failed authentication above threshold indicating brute force attempts, access to wallet infrastructure outside of approved change windows, unusual transaction patterns including volume spikes, large single transactions, and rapid sequential transactions, administrative actions on production systems outside of business hours, and any modification to monitoring or logging configuration itself.
All production systems must be hardened according to recognized benchmarks — CIS Benchmarks are the industry standard that ITSEC applies. This includes removing unnecessary services and packages, disabling default accounts and changing default credentials, applying the principle of least functionality where systems run only the services required for their designated purpose, implementing host-based firewalls in addition to network firewalls, and enabling audit logging at the operating system level.
Configuration drift detection should be automated. When a production system's configuration deviates from the approved baseline, an alert must be generated and investigated. Infrastructure-as-code practices help maintain consistency but must themselves be secured with access controls and change management applied to the code repository.
VARA expects VASPs to undergo periodic independent audits of their technology and cybersecurity controls. These audits must assess both design effectiveness — whether controls are appropriately designed to address identified risks — and operating effectiveness — whether controls are functioning as designed in day-to-day operations.
ITSEC recommends annual comprehensive audits supplemented by focused assessments after significant changes. Audit findings must be tracked in a formal remediation register with severity classification, assigned owners, agreed remediation timelines, and evidence of completion. Open findings must be reported to senior management and the board, and VARA may request the findings register during supervisory reviews.
ITSEC helps VASPs design and implement technology governance frameworks that satisfy VARA requirements while remaining operationally practical. From wallet architecture review and key management assessment through change management implementation and monitoring infrastructure design, we ensure that the technology environment demonstrates the control, accountability, and auditability that regulated financial services demand. Contact ITSEC to discuss your governance requirements.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.