ANNEXURE VII
DIRECTIVE 2014/18/EAC
OF THE COUNCIL OF MINISTERS
Of
(Date of Approval by Council of Ministers)
DIRECTIVE OF THE EAC ON DISASTER
RECOVERY AND BUSINESS CONTINUITY
FOR SECURITIES MARKETS
1|P a g e
ANNEXURE VII
Preamble
The Council of Ministers of the East African Community
Having regard to the Treaty establishing the East African Community and in particular Articles
85 (d), 14 and 16;
Having regard to the recommendations of the Sectoral Council on Finance and Economic
Affairs;
WHEREAS Article 31 of the Protocol on the Establishment of the East African Community
Common Market provides that for proper functioning of the Common Market the Partner
States undertake to co-ordinate and harmonies their financial sector policies and regulatory
framework to ensure the efficiency and stability of their financial systems as well as the
smooth operations of the payment system;
WHEREAS Article 47 of the Protocol on the Establishment of the East African Community
Common Market provides that the Partner States shall undertake to approximate their
national laws and to harmonize their policies and systems for purposes of implementing this
Protocol and that the Council shall issue directives for the purposes of implementing this
Article.
HAS ADOPTED THIS DIRECTIVE
2|P a g e
ANNEXURE VII
ARTICLE 1
INTERPRETATION
‟Community” means East African Community established by Article 2 of the Treaty;
‟Competent Authority” means the national regulatory agency that is the primary supervising
entity of securities markets in the Partner State;
‟Council of Ministers” means the Council of Ministers of the Community established by Article
9 of the Treaty;
‟Correspondent” means a natural person or institution with which a regulated
institution exchanges vital information such as the Authority, clients or other category
of persons or institutions generally.
‟Disaster” this includes acts of God or natural disasters such as earthquakes and fires as
well as acts of men such as riots, terrorist attacks, computer systems failures and
arson.
“Disaster recovery” means a process by which an organization is able to deal with potential
disasters and make provision for the continuation of normal functions.
‟Electronic records” are vital computer files, e-mail attachments or other information
ordinarily stored in electronic, magnetic or digital form.
‟Market Intermediary” means an entity licensed or approved by a Competent Authority in the
Partner State;
‟Primary record” this refers to the original documentary or electronic record.
‟Printed records” means all vital printed documentation including correspondence, board
minutes, financial records, client records, operational information, standard formats, and
contracts, licensing documentation as well as other important records that are generated from
within the regulated institutions and from correspondents.
‟Regulated person” means any organization or natural person that is licensed, approved
or in any way regulated by the Competent Authority and includes Securities
Exchanges, broker/dealers investment advisers, registrars, custodians, managers, trustees
3|P a g e
ANNEXURE VII
and authorized corporate directors of collective investment schemes and any other
category of persons or institutions as the Authority may from time to time designate.
‟Secondary record” this refers to copies of primary or original documentary or electronic
record.
‟Partner States” means the Republic of Burundi, the Republic of Kenya, the Republic of
Rwanda, the United Republic of Tanzania and the Republic of Ugandaand any other country
granted membership to the Community under Article 3 of the Treaty;
‟Treaty”, means the Treaty for the establishment of the East African Community and any
Annexes and Protocols thereto;
ARTICLE 2
PRINCIPLES
Implementing this Directive Partner States shall ensure that:
(a) all regulated markets in the EAC region shall carry out a risk analysis of their
securities operations which will enable them examine the real, and historical
risks and potential threats such as natural disasters, technological or human causes;
(b) risks shall be prioritized according to risks resulting from equipment failure, utilities
failure and human failures resulting from robberies, strikes, riots, and terrorist
attacks and threats among others;
(c) assessment of the potential impact resulting from the risk shall also be made with
special focus on its bearing on:
(i)
the effects on business operations;
(ii)
legal and regulatory consequences; and
(iii)
effects on competitive position and Investor confidence.
(d) market stability shall be enhanced by providing for the storage and retrieval of vital
information in the event of a disaster.
(e) Seamless continuity in conduct of business in case of disaster is ensured.
(f) staff members shall be provided with on-going Disaster Recovery and Business
Continuity Planning training.
4|P a g e
ANNEXURE VII
ARTICLE 3
SCOPE
This Directive shall apply to the Competent Authorities and all market players in the Partner
States.
ARTICLE 4
OBJECTIVE
The objective of this Directive is to enable the Regulators and all market players in EAC
a n a l y z e the potential and real disasters they may face and to make provision for the
development of continuity plans with a view to:
(a) facilitate timely recovery of core business functions;
(b) protect the wellbeing of employees, families and clients of market intermediaries and
Competent Authorities;
(c) minimize loss of revenue and clients;
(d) maintain market confidence and reputation of market intermediaries and Competent
Authorities;
(e) minimize loss of data and or information;
(f) reduce critical decisions to be made in a time of crisis; and
(g) ensuring efficient markets, and reducing systemic risks.
ARTICLE 5
DISASTER RECOVERY/BUSINESS CONTINUITY PLAN
1. Competent Authorities and all market Players should have a disaster recovery plan which
must be responsive to system emergencies.
2(a) Competent Authorities and all market Players shall develop and maintain a written
business continuity and contingency plan establishing procedures to be followed in the
event of an emergency or significant business disruption.
(b) Market players shall make disaster recovery and business continuity plans available to
the Competent Authority upon request.
5|P a g e
ANNEXURE VII
ARTICLE 6
MAINTENANCE OF THE DISASTER RECOVERY PLAN
The Competent Authorities shall ensure that:
(a) the Disaster Recovery and Business continuity Plans are continuously reviewed
and updated to reflect changes in personnel/workforce, business risks,
legislation among others; and
(b) yearly review of the business continuity and contingency plan to determine
whether any modifications are necessary in light of changes to the
organization’s operations, structure, business or location.
ARTICLE 7
DISASTER RECOVERY PERSONNEL
The Competent Authorities and all Market Players shall ensure that:
a.
Their disaster recovery and business continuity plans identify the specific people
involved in the implementation of the plans; and
(b)
2 The Disaster Recovery and business continuity plans shall specify a team leader, an
alternate team leader, as well as the team members associated with any recovery
efforts. The plans shall also include their contact information, including work phone,
cell-phone, and email addresses.
ARTICLE 8
DISASTER MANAGEMENT COMMITTEE
1.
Competent Authorities and market players in the EAC securities markets should put in
place disaster management committees. The committee shall, among others, develop a
contingency plan for business continuity, which should specifically address:
a)
b)
c)
d)
evacuation procedures;
business resumption;
emergency operating procedures; and
information systems and data recovery
6|P a g e
ANNEXURE VII
2.
The Chairperson of the committee shall be in charge of implementation of the business
continuity plan and the Compliance Officer designated for purposes of liaison with the
Competent Authority shall be a member of the Committee.
3.
For the purposes of market players, they shall immediately notify the Competent
Authority in the event of the following:
a)
b)
c)
d)
e)
a decision to change an off-site storage location;
the change of an off-site storage location;
the occurrence of any disaster affecting the market intermediary’s business;
a decision to implement the contingency business continuity plan; and
a change of location of operations following disaster.
ARTICLE 9
MANAGEMENT OF RECORDS
Competent Authorities and market players shall ensure that primary copies and printed
records are:
a) primary copies of all printed records are kept in a systematic and well-categorized
manner;
b) all primary copies of printed records should be stored in fireproof cabinets;
c) secondary copies of all printed records should be made by photocopying or scanning
and these should be updated on a quarterly basis;
d) all secondary copies of printed records should be stored at an off-site storage
location;
e) all employees of the competent authorities and all market players responsible for
using or storing electronic records are required to make backup copies (the first
backup) of all primary electronic records and store them preferably on magnetic or
digital form. Other forms may include tape, CD, jazz or SyQuest disks; and
f) competent Authorities and market players shall ensure that all first backup copies are
backed up on similar or other electronic, digital or magnetic.
7|P a g e
ANNEXURE VII
ARTICLE 10
OFFSITE STORAGE FACILITY
1. Each regulated securities market is required to arrange for the off-site storage of its backup
copies as provided for in Article 9.
(a) should not be less than 1 km from the principal place of business of the regulated
institutions, but they may be a branch office of the regulated institution or parent
company premises;
(b) where the customer is a company, the market intermediary shall also identify the
directors of the company;
(c) where the customer is a partnership or a limited liability partnership, the market
intermediary shall also identify the partners; and
(d) the off-site storage location shall be a convenient and secure location.
2. Competent Authorities and market intermediaries shall ensure that the identified location
of the backup site is accessible for a minimum period of six (6) weeks from initial date of
occupancy after disaster declaration. It shall be available for 24-hour access and retrieval
and be protected by: security, fire suppression, water detectors, heating, air and
ventilation.
3. The plan shall specify the period within which the market intermediary shall have access to
the backup site facility after notification and guaranteed occupancy shall be at least six (6)
weeks.
4. This storage facility will be reviewed for effectiveness annually.
5. All documentation of importance to the operations of the market intermediary shall be
stored via this backup site. The offsite storage process will include, but is not limited to, the
following:
a) backup tapes - Weekly tape backups of ALL disk files. These include: mainframe, midrange, servers and PCs ( mandatory and with at least two generations);
b) system, program product, and in-house developed software manuals and guides;
c) legal - Copies of contracts, leases, legal and critical correspondences;
d) insurance – Policies, riders, and addendums;
e) financial - General and private ledgers, year-end financial statements, tax returns, bank
records;
f) recovery Plans - A complete set;
g) assets - Complete fixed asset listings;
8|P a g e
ANNEXURE VII
h)
i)
j)
k)
l)
referenced Items - Copies of any item referenced within your recovery team plans;
floor plans;
architectural drawings that should include mechanical plans;
photos of facility and various work areas; and
other critical documents or data critical to the operation of business
ARTICLE 11
DISASTER MANAGEMENT
1. Competent Authorities and Market Intermediaries shall ensure that procedures are put in
place to manage disasters when they happen.
2. Competent Authorities and Market Intermediaries shall ensure that in the event that a
situation or disaster occurs at the primary business location, the Business Contingency
Planning Team provides an emergency alert to the Management Team and assessing the
emergency situation.
3. The Business Contingency Planning Team shall send an alert to all Department Heads within
the intermediary. This team shall also ensure that status updates are provided by to the
Department Heads for dissemination of pertinent information.
4. The Competent Authority and market intermediaries shall also ensure that the Business
Contingency Planning Team carry out a damage assessment to specifically identify who and
what has been affected by the disaster.
5. The Business Contingency Planning Team will evaluate the event that has occurred and
determine what Department Heads will be required to respond to the situation. The
decision to activate the disaster recovery plan for the affected areas may be made at this
point or after notification and review with the Business Contingency Planning Team.
6. As part of the damage assessment process, the risk assessment to the business will be
evaluated. Considerations of engaging temporary facilities, equipment and vendors will be
reviewed and a determination to enact recovery procedures will be determined by the
Business Contingency Planning Team and Department Heads.
7. If after assessment it is determined that activation of the recovery plan is required,
notification to the Executive Team will be made. An authorized individual will immediately
notify the affected site that the disaster has been declared.
9|P a g e
ANNEXURE VII
ARTICLE 12
DISASTER RECOVERY SITE
1. The Competent Authority shall ensure that market intermediaries identify an offsite
business operations center where members of the various business contingency teams and
other personnel will assemble immediately after they receive notification.
2. Competent Authorities shall ensure that off-site disaster recovery site locations are located
at least 10 km from the principal place of business of the regulated institutions, but they
may be a branch office of the regulated institution, a parent company or other convenient
and secure location.
3. The Competent Authority shall reserve the right to make directions on the suitability of
selected off-site disaster recovery locations.
4. Market Intermediaries shall ensure that access to this facility is controlled by the members
of the Business Contingency Planning Team.
5. The business continuity plan shall clearly describe the location of the offsite business
operations center including; Building name, Street address, City, Phone and directions to
the facility:
6. The Competent Authorities shall ensure that this offsite business operations center
contains:
a)
phones/facsimile and circuits;
b)
internet capabilities;
c)
PCs for documentation, letters and cc: Mail;
d)
work area space;
e)
portable generator;
f)
normal business type supplies;
g)
emergency supplies, including bottled water;
h)
basic set of tools;
i)
coordination with hot and cold sites for Information Systems;
j)
telephone forwarding mechanisms;
10 | P a g e
ANNEXURE VII
7. The identified location of the temporary facilities will be accessible for an extended period
of time and the market intermediary shall have access to the facility when it is determined
that normal business operations will be non-functional for an extended period of time.
8. The facility must be made available within twenty-four (24) hours after a market
intermediary provides written or verbal notice to vendor of intent to occupy the facility,
and guaranteed occupancy shall be at least twelve (12) months.
9. For the purposes of this Directive, the disaster recovery site for the regional Capital
Markets Infrastructure shall be located at a different Partner State.
ARTICLE 13
TESTING AND UPDATING
1. Each Competent Authorities and market players should test their disaster recovery and
business continuity plans at least quarterly to ensure that there are credible recovery
preparedness.
2. Each member must be regularly updated. Each office must report any changes, such as
changes in personnel responsibilities; personnel contact information and or functional
changes.
ARTICLE 14
NOTIFICATION/COMMUNICATION PROCEDURES
1. The Competent Authority shall ensure that the Disaster Recovery Plan clearly outlines
communication procedures to be followed in case of emergencies and disasters.
2. The communication procedures should specify:
a) a key personnel call list including cellular phone and email contact details;
b) identified vendor for offsite call center operations who will supply offsite call center
capabilities to handle incoming calls; and
c) identified vendor for recovery of communications and equipment repair/replacement.
3. Competent Authorities shall ensure that market intermediaries identify vendors who will
provide communication recovery establishing a new core communications center and
equipment.
11 | P a g e
ANNEXURE VII
4. Both the offsite communication recovery vendor and the communications facility shall be
reviewed for effectiveness annually.
ARTICLE 15
RECOVERY TIMEPLAN
The Competent Authority shall ensure that business continuity plans include recovery time
plans.
ARTICLE 16
DATA BACK UP PLAN
1. The Competent Authority shall ensure that market intermediaries carry out back up
procedures as specified in Article 9 above.
2. The Competent Authority shall ensure that all market intermediaries arrange for the off-site
storage of its backup copies as provided in Article 10.
3. Where a market intermediary is unable to organize its own off-site storage location, it
should notify the Competent Authority, which shall designate an off-site storage facility at
the market intermediary’s cost.
ARTICLE 17
DEFINING CRITICAL DATA/INFROMATION
1. Competent Authorities and Market Intermediaries shall ensure that business continuity
plans clearly detail the critical equipment, processes and quantity requirements for
resources that must be in place within specified timeframes after activation of the
disaster recovery plan.
2. The resources listed might include workstations, laptops (both with and without VPN
access), phones, conference rooms, etc.
3. The processes may include ability and access to trade and settlement infrastructure.
12 | P a g e
ANNEXURE VII
ARTICLE 18
RECOVERY STRATEGIES
1. The Competent Authority shall ensure that business continuity plans of all market players
identify recovery strategies identified for equipment and services.
The plan should ensure that:
a) business functions are recovered in priority sequence based upon the classification of
the function as agreed with business senior management and implemented jointly;
b) communications concerning the recovery status are coordinated through the Business
Contingency Planning Team so that those executing the recovery will not be
interrupted repeatedly for status;
c) purchase and acquisition of equipment and supplies needed for the recovery effort is
coordinated through company Department Heads;
d) contingency planning infrastructure provides for coordination of travel arrangements,
food and accommodations for individuals supporting the recovery effort;
e) non-critical functions, such as Development and Test environments, are cleared
without backup as necessary to support the recovery efforts; and
f) Where necessary, personnel from other sites may be called in to support the recovery
efforts.
ARTICLE 19
THE CONTINGENCY PLANNING COORDINATORS
The Regulators al all market players shall identify and coordinate with internal and external
points of contact for each major system to characterize the ways that they depend on or
support the IT system. Ensure that data backup is implemented daily of critical files or tapes
and stored off-site in the event of an incident or disaster:
a) identify disruption impacts and allowable outage times. Identify the maximum
allowable time that a resource may be denied before it prevents or inhibits the
performance of an essential function;
13 | P a g e
ANNEXURE VII
b) develop and prioritize recovery strategies that personnel will implement during
contingency plan activation. Consider issues such as cost, allowable outage time,
security, and integration with larger organization-level plans;
c) Coordinate with officials to establish contingency teams and team leaders for damage
assessment and recovery teams; and
d) Ensure that plans are review and updated biannually.
ARTICLE 20
TRAINING
1. The respective partner members/Directors or Managers will ensure that all Personnel
are made aware of their responsibilities under their respective responsibilities.
2. Each Directors or Managers in the EAC will be responsible for the training of personnel.
The training of personnel is essential to ensuring each region maintains the capability
to properly and efficiently execute its disaster recovery
ARTICLE 21
PARTICIPATE IN AUDIT REVIEWS
Competent Authorities and market players will conduct informal and formal reviews of plans
to ensure that they are executable and in compliance with standards.
ARTICLE 22
AMENDMENTS
1. This Directive may be amended by the Council of Ministers.
2. Any proposals for amendment may be submitted in writing by the Partner States to the
Secretary General of the East African Community.
14 | P a g e
ANNEXURE VII
ARTICLE 23
TRANSPOSITION
1. Partner States shall bring into force the laws, regulations and administrative provisions
necessary to comply with this Directive not later than one year from the date of the
Council of Ministers’ approval. They shall forthwith inform the Council of Ministers
thereof.
2. When Partner States adopt those measures they shall contain a reference to this
Directive or shall be accompanied by such a reference on the occasion of their official
publication. The methods for making such reference shall be laid down by Partner States.
ARTICLE 24
ENTRY INTO FORCE
This Directive shall enter into force upon approval by the Council of Ministers.
ARTICLE 25
ADDRESSEES
This Directive is addressed to the Partner States.
Done in Arusha, Tanzania …..
15 | P a g e