BUSINESS CONTINUITY AND DISATER RECOVERY

INTRODUCTION

Business continuity is the capability of an enterprise to stay online and deliver products and services during disruptive events, such as natural disasters, cyberattacks and communication failures. The core of this concept is the Business Continuity Plan (BCP), which is a defined strategy that includes every facet of an organization’s operation and details procedures for maintaining business availability. A Disaster Recovery Plan (DRP) is an essential part of a BCP, which applies to the aspects of an organization that depend on a functioning information technology (IT) infrastructure. A DRP aims to help an organization resolve data loss and recover system functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal level.

DEFINITIONS

The following definitions are utilized throughout the Business Continuity and Disaster Recovery Plan (collectively referred to as BCDRP):

• Disaster: Any event that is significant enough to crucially disrupt or completely stop critical business operations for a potentially extended duration. Types of disasters may include:

  • Natural disasters, such as hurricanes, tornadoes, floods, etc.

  • Cyber-attacks such as distributed denial of service

  • System failure

  • Pandemics, such as COVID

  • Any loss of utility service (power, water)

  • Terrorist attacks

• Threat Analysis: The identification of potential disruptions, along with potential damage they can cause to affected resources. Examples include but are not limited to power outages, employee illness, cyber-attacks, vendor error, natural disasters, and global pandemics.

• Recovery Time Objective (RTO): The acceptable downtime for critical functions and components, i.e., the maximum time it should take to restore services.

• Recovery Point Objective (RPO): The point in which the state of operations must be restored following a disruption.

• Disaster Recovery Team: A group of individuals who are tasked with developing, documenting, and executing processes and procedures for an organization's data recovery, business continuity, and IT infrastructure in the event of a disaster or failure.

• Business Resumption Plan: A plan to resume business operations including logistics and steps to minimize risks.

• Disaster Recovery Plan: The technical aspect of business continuity planning; the advance planning and preparing necessary to minimize loss and ensure continuity of the critical business functions of an organization in the event of disaster.

• Communications Plan: The plan to communicate with employees, vendors, consultants, customers, service providers, and the media with the goal of avoiding or minimizing damage to the organization's profitability, reputation, or ability to operate.

PURPOSE

The Kredit Financial Inc. (Kredit) BCDRP describes the preparations and actions to be followed in the event of a disaster that is caused by factors beyond our control to restore services for its clients to the widest extent possible in a minimum time frame.

PLAN OBJECTIVES

The objective of Kredit’s BCDRP is to:

• Ensure high availability of our business-critical processes/services in the event of a disaster

• Protect systems and data from physical and environmental threats to prevent loss, damage, theft, or compromise of assets and limit interruption to critical activities

• Serve as a guide for the Kredit Recovery Team

• Provide procedures and resources needed to assist in recovery

SCOPE

This plan covers all critical business operations that have:

• Business requirements to ensure continuity of services

• Material risk of service failures

• Contractual or client requirements

Kredit is a remote-first organization with employees located throughout the United States. Kredit’s technology infrastructure is cloud-based, utilizing the Amazon Web Services (AWS) cloud environment. Given the reliance on AWS, Kredit also relies on Amazon's own internal BCDR testing of its own environment, including physical security, backup capacity, and disaster recovery plans and procedures. These items are not within the scope of Kredit’s BCDRP.

RECOVERY TEAM (RT)

Kredit’s RT is comprised of the following individuals:

• Chief Technology Officer (RT Coordinator)

• Principal Engineer

• Chief Compliance Officer

• Chief Executive Officer

RT RESPONSIBILITIES

The RT is responsible for the following:

• The RT Coordinator shall ensure that the RT Contact List (Appendix A) reflects the most current contact information for each member of the team.

• All members of the RT must maintain a copy of the Contact List and BCDRP offline for reference purposes, in the event Kredit’s systems become unavailable.

• All members of the RT are responsible for reading and familiarizing themselves with the contents of the BCDRP.

INSTRUCTIONS FOR USING THE BCDRP

INVOKING THE PLAN

The BCDRP becomes effective when a disaster occurs. The RT is responsible for declaring a disaster and activating the various procedures as outlined in this plan. The RT must be activated immediately in the following cases:

• Application, system, data outages of key third party services

• Critical outages caused by human actions

• Widespread communications outages impacting internet and phone communications

• Ransomware attack

DISATER DECLARED

Once a disaster is declared, the RT is mobilized. Members assemble virtually to gather information regarding the event and determine whether to continue to the Recovery Phase(s) of this plan.

EXTERNAL COMMUNICATIONS

Kredit’s CEO is designated as the principal communicator to customers and/or other external organizations in the event of a formal disaster declaration.

BUSINESS RECOVERY PROCEDURES

Currently, all Kredit employees work remotely from their homes. If an employee's primary work location (home) is inaccessible, work can be performed remotely anywhere where communication services and power are available.

DISASTER RECOVERY

Kredit has designed a disaster recovery plan to meet the following objectives:

• RTO ~4 Hours

• RPO ~0 Hours

Kredit’s technology infrastructure and associated services are cloud based and designed for high availability, with replication across multiple regions in failover situations. Backups of Kredit's data stores are performed daily. The status and health of our core services is monitored real time during business hours and alerts are triaged and any incidents that may impact the availability of core services are prioritized. In extreme circumstances, Kredit’s services could fail over to another cloud provider in the main cloud provider is the cause of the disaster.

Kredit does not perform traditional fail-over tests from one availability zone to another, due to the fact that fail-over between different availability zones are configured to occur automatically, and the health of this configurations, the health of our services, and the health of the different availability zones, are monitored in real-time. However adequate validation of our configuration and capabilities are validated periodically and in near real time. All these controls work together to ensure high reliability and low latency of all Kredit services.

VIOLATIONS

Violations of this policy may result in disciplinary action to align with Kredit’s Disciplinary policy.

CHANGE SUMMARY

Purpose: Internal Policy

Category: information Security Policy

Policy Name: Business Continuity and Disaster Recovery Plan