OM-4.1 OM-4.1 General Requirements
OM-4.1.1
To ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption, all
licensees must maintain contingency and business continuity plan (BCP) to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. A BCP must address the following key areas:(a) Data back up and recovery (hard copy and electronic);(b) Continuation of all critical systems, activities, and counterparty impact;(c) Financial and operational assessments;(d) Alternate communication arrangements between thelicensee and itscustomers and its employees;(e) Alternate physical location of employees; and(f) Communications with and reporting to the CBB and any other relevant regulators.January 2014OM-4.1.2
For reasons that may be beyond a
licensee's control, a severe event may result in the inability of thelicensee to fulfil some or all of its business obligations, particularly where thelicensee's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to thelicensee . This potential event requires thatlicensees establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which thelicensee may be vulnerable, commensurate with the size and complexity of thelicensee's operations.January 2014OM-4.1.3
Licensees should identify critical business processes, including those where there is dependence on external vendors or other third parties, for which rapid resumption of service would be most essential. For these processes,licensees should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. Where such records are backed-up at an off-site facility, or where alicensee's operations must be relocated to a new site, care should be taken that these sites are at an adequate distance from the impacted operations to minimise the risk that both primary and back-up records and facilities will be unavailable simultaneously.January 2014OM-4.1.4
Licensees should periodically review their disaster recovery and business continuity plans so that they are consistent with thelicensee's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that thelicensee would be able to execute the plans in the unlikely event of a severe business disruption.January 2014OM-4.1.5
Effective BCPs must be comprehensive, limited not just to disruption of business premises and information technology facilities, but covering all other critical areas, which affect the continuity of critical business operations or services (e.g. liquidity, human resources and others).
January 2014OM-4.1.6
Licensees must notify the CBB promptly if their BCP is activated. They must also provide regular progress reports – as agreed with the CBB – until the BCP is deactivated.January 2014