Capital Markets Authority Disaster Recovery Guidelines 2022

1 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 Introduction toGuidelines The Authority has developed these Guidelines as a minimum standard for disaster recovery practices by approved and licensed persons in response to the growing importance of disaster recovery and contingency planning both in emerging and developing economies. Disaster recovery, for the purposes of these Guidelines is defined as a process by which an organization able todeal with potential disasters and make provision for the continuation of normal functions. Background and objectives of the Guidelines These Guidelines have been developed taking into account the growing significance for organizations to ensure disaster recovery planning, risk identification, risk analysis and development of recovery strategies. The objective of these Guidelines is to enable regulated persons analyse the potential and real disasters they may face and to make provision for the development ofcontinuity plans Definitions these Guidelines, the following words and expressions shall carry the meaning attributed to them: This glossary is only designed to provide clarity to the words and terms used in these Guidelines and does not amount to an interpretation of the terms contained therein. “Authority” means the Capital Markets Authority as established under section 4 of the Capital Markets Authority Act Cap 84. ‘Back up” means the act of reproducing copies of

2 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 printed records or electronic records. “Business Continuity Plan” means a disposition intended to establish, in advance, a plan of what a company needs to do to ensure that its key products and/or services continue to be delivered in the longer term, i.e. a plan for the sustainability of the business “Correspondent” means a natural person or institution with which a regulated institution exchanges vital information such as the Authority, clients or other category of persons or institutions generally. “Disaster” this includes acts of God or natural disasters such as earthquakes and fires as well as acts of men such as riots, terrorist attacks, computer systemsfailures and arson. “Electronic records” are vital computer files, e-mail attachments or other information ordinarily stored in electronic, magnetic or digital form. “Primary” this refers to the original documentary or electronic records. “Regulated person” means any person who has been granted a licence under this Act, or under the Collective Investment Schemes Act, the Securities Central Depositaries Act or any other Act for whose administration the Authority is wholly or partly responsible or an approved or formerly approved Securities Exchange or any persons associated with such licensees or approved stock exchanges; “Secondary” this refers to copies of primary or original documentary or electronic records. Risk Analysis All regulated persons are required to carry out a risk analysis of their securities operations which will enable them examine the real, and historical risks and potential threats such as natural disasters, technologicalor human causes.

3 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 A risk analysis should include risk identification, risk categorization, identification of the likelihood of occurrence and an assessment of the adequacy of the precautions in place. The findings of the risk analysis should be recorded and applied in the development of a risk management and contingency plan. Risks should be prioritised according to risks resulting from equipment failure, utilities failure and human failures resulting from robberies, strikes, riots, and terrorist threats among others. An assessment of the potential impact resulting from the risk should also be made with special focus on its bearing on: - (i) The financial effects on the regulated entity. (ii) Legal and regulatory consequences. (iii) Effects on competitive position and Customer confidence Management of records Printed records refer to all vital printeddocumentation including correspondence, board minutes, financial records, client records, operational information, standard formats, contracts, licensingdocumentation as well as other important records that are generated from within the regulated institutions and from correspondents. Primary copies of all printed records must be kept in a systematic and well-categorised manner. All primary copies of printed records should bestored in fireproof cabinets. Secondary copies of all printed records should be made by photocopying or scanning and these should be updated on a quarterly basis. All secondary copies of printed records should be stored at an off-site storage location satisfying the requirements in this guideline.

4 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 All employees of regulated institutions responsiblefor using or storing electronic records are required to make back up copies (the first backup) of all primary electronic records and store them preferably on floppy diskette or other magnetic or digital form. Other forms may include tape, CD, jazz or SyQuest disks. All first back up copies must be backed up onsimilar or other electronic, digital or magnetic storage devices (the second backup). First and second back up copies should be updated on a quarterly basis. The secondary back up copies must be stored at an off-site location satisfying the guidelines Disaster Recovery Committees All Regulated persons should put in place disaster management committees. The committee shall, among others, develop a contingency plan for business continuity, which should specifically address – (i) Evacuation procedures (ii) Business resumption (iii) Emergency operating procedures. (iv) Information systems and data recovery The Chairperson of the committee shall be in charge of implementation of the business continuity plan and the Compliance Officer designated for purposes of liaison with the Authority shall be a member of the Committee. A regulated person shall immediately notify the Authority in the event of the following – a) A decision to change an off-site storage location. b) The change of an off-site storage location. c) The occurrence of any disaster affecting the regulated person’s business. d) A decision to implement the contingency business continuity plan. e) A change of location of operations following disaster.

5 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 Off-site locations Each regulated institution is required to arrange for the off-site storage of its backup copies as provided above. (1) In general, off-site storage locations should not be less than 1 km from the principal place of business of the regulated institutions, but they may be a branch office of the regulated institution or parent company premises. (2) The off-site storage location shall be a convenient and secure location. (1) The Authority shall conduct routine and impromptu visits to the premises of regulated institutions and to back-up storage locations to verify compliance with these Guidelines. (2) The Authority reserves the right to make directions on the suitability of selected off-site storage locations. (3) The Authority may make such directions, as it may deem necessary with respect to the disaster recovery preparedness of regulated institutions.

6 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022 APPENDIX All regulated persons should adopt the standards set by the International Organisation for Standardisation in ISO 22301 on Business Continuity Management Systems (BCMS) to enable them to implement their business continuity management systems effectively so that they are able to respond to and recover from incidents with the least disruption to business and ISO 31000 on Risk Management to enable you to provide a framework for managing risk.

7 THE CAPITAL MARKETS DISASTER RECOVERYGUIDELINES 2022