ANY BANK DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Emergency Plans Disaster Recovery Contingency Planning DATE LAST CHANGED BOARD OF DIRECTORS APPROVAL Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year OVERVIEW DRBCP PLANNING AND REVIEW CHAIN OF COMMAND DISASTER DR TEAM ACTIVATION NOTIFICATION INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS DRBCP RECOVERY OUTLINE PANDEMIC FLU BUSINESS IMPACT ANALYSIS 12 CORE SERVICES 18 Core Data Services 18 Item Processing 19 ACH 19 Fedline Advantage and Fed for the Web 19 REGULATORY NOTIFICATION: 21 TECHNICAL DISASTERS 21 Computer Virus, Disk crash, etc 21 EMERGENCY TRAINING 21 SECURITY ARRANGEMENTS 21 REDUCED WORK FORCE AND WORK FORCE SUCCESSION CONSIDERATIONS 21 INSURANCE COVERAGE 22 DISTRIBUTION RECORD 22 TESTING 23 Testing Procedures 23 Security System 23 Appendix A: Emergency Telephone Numbers 24 Appendix B: Master Vendor Listing 27 Appendix C: List of Employees 28 Appendix E: Board of Directors 30 Appendix F: Contingency agreements with processing providers 31 Appendix G: Management Succession 32 Appendix H: Attachments 33 Appendix I: Key & Combination List 34 Appendix J: Emergency Evacuation Procedures 35 Appendix K: Disaster Telephone Answering Script 36 Appendix L: Any Bank Incoming Line Numbers 37 Appendix M: Startup, Shutdown, and End of Day Procedures 38 Appendix N: Detailed Directions to the SunGuard Disaster Recovery Hot Site: 41 Appendix O: Risk Assessment: 43 Appendix P: Floor Plan Drawings with Utility Shutoff Locations for each Bank: 45 Appendix Q: Specific Task Requirements of this Policy 46 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year OVERVIEW The objective of Any Bank Disaster Recovery and Business Continuity Plan (DRBCP) is to minimize financial loss to the Bank and to continue to provide service to our customers, remain in compliance with applicable laws and regulations, and reduce damage to the Bank Additionally, an overall objective of this plan will be to maintain, resume, and recover the business, not just recover the technology Business continuity planning is the process for Any Bank to ensure the maintenance and recovery of operations and customer services when confronted with adverse events Events include natural disasters, technological failures, human error or terrorism New business practices, technological changes, and increased terrorism concerns have created greater awareness and increased the need for an effective DRBCP The DRBCP will also include a business impact analysis and risk assessment This DRBCP will address interdependencies, both market and geography based, the potential for wide-area disasters impacting an entire region, the loss or inaccessibility of staff, and recovery times We anticipate that the amount of requested services will not decrease during a disruption, and in fact, service requests will probably increase This plan is the basic structure of a disaster recovery effort The procedures outlined will serve as starting points and are subject to modification to suit the need or situation DRBCP PLANNING AND REVIEW Any Bank Senior Management and Board of Directors have the overall responsibility for identifying, assessing, prioritizing, managing, and controlling risks Disaster Recovery and Business Continuity planning responsibilities are fulfilled by setting policy, prioritizing critical business functions, allocating sufficient resources and personnel, reviewing DRBCP test results, and ensuring maintenance of a current plan Any Bank’s Information Technology Committee is responsible for the development and coordination of the DRBCP While the Committee may recommend prioritization, it is ultimately the responsibility of the Any Bank’s Board of Directors and Senior Management to prioritize critical business processes and establishing plans to meet business requirements This DRBCP and its associated annual test will be subjected to an independent audit and will be reviewed by the Information Technology Steering Committee and Board of Directors on an annual basis The DRBCP will be tested to the maximum extent possible The annual review is a minimum requirement The DRBCP should be a "living document" as new technology changes the Bank’s recovery needs of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year CHAIN OF COMMAND The chain of command set forth is to assure authority and control is passed effectively during a disaster The chain of command is as follows: President/Chief Executive Officer Senior Vice-President/Operations Senior VP/Business Operations DISASTER DR TEAM The Disaster Recovery (DR) Team will be responsible for implementing the DRBCP and making changes to keep the plan operational The members of the DR Team are as follows: Any, Chairman DR Team Leader/Spokesperson Any, Secretary Disaster Recovery Coordinator Security Coordinator Member Member EDP/IT Coordinator The DR Team is assembled at the first indication of serious interruption of business The DR Team leader will call for implementation of the plan after consulting with the members of the DR Team and evaluating the situation The Team Leader then notifies the Board of Directors to inform them of the status and progress on a continual basis The responsibilities of the DR Team are as follows: Make sure the Bank is secure Evaluate the disaster situation Implement the recovery plan Inform Any Bank Board of Directors Authorize special assignments Approve expenditures of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year ACTIVATION The activation of the DRBCP is determined by the amount of time estimated to effect normal dayto-day operations This plan will normally be activated not later than 12 hours after the contingency or emergency The DR Team must consider immediately a need to activate the plan if normal operations cannot be resumed in a timely manner Once a disaster has occurred and affected normal operations, the DR Team will be assembled and a decision to implement the DRBCP will be considered If for any reason the Bank President cannot be contacted, the decision will be shifted to the next available person listed in the Chain of Command The DR Team may terminate this procedure when normal operations return NOTIFICATION A rapid notification is critical to the security of Any Bank The first person to discover the disaster should notify the President who then will assemble the DR Team, if necessary The assembly of the rest of the employees only occurs after the DR Team agrees that the problem cannot be corrected in a short period of time However, there are exceptions to this rule and all participants are expected to use discretionary judgment in making the decision to assemble all the employees Where the damage assessment proves so severe that recovery within 12 hours appears to be a remote possibility, the call for employee assembly is justified The Bank’s emergency notification list (not comprehensive but a guideline) is outlined below Contact numbers are contained in the appendices of this document a Notify Regulatory Authorities b Notify Sungard Disaster Recovery Services c Notify ATT (data communications) d Notify Network Support Contractor The person responsible for Overall Command of Any Bank Disaster Recovery Team (normally the bank president) will be the spokesperson and notify the media as to the situation and begin the process of handling the press and media requests It should be stressed to all personnel that ONLY the spokesperson will give information and interviews to the media If local law enforcement and fire departments are not on the scene, the need for notifications is pertinent Call the local police at once to secure the area Following the disaster, the media can be used effectively to convey important messages to our customers and extreme care should be taken in responding to reporter’s questions The information provided should be honest, factual, and presented in a positive manner to alleviate customer fears The spokesperson should make notes before talking with the media The Bank President (or the next available person in the chain of command) will notify all regulatory agencies within 12 hours of declaring the emergency or contingency The following are some concerns of the processed banks and customers following a disaster and should be included in remarks to the media: a State when the Bank will re-open (if known) b Give locations of alternate sites c Give hours Any Bank will be in operation during the emergency period d Use discretion when reporting on personal injuries, deferring these reports to medical and law enforcement officials for that information of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Persons in charge of handling the media or customer requests will need definite guidelines as to the media being allowed in the off-site or reciprocal locations Personnel in these locations will be under a certain amount of stress and should not be subjected to visitors in the area who may disrupt their work of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year INTERDEPENDENCIES AND GEOGRAPHICAL CONCERNS Any Bank’s management understands that the current regional economic environment requires dependency on many vendors The effects of a major disaster or contingency at a key vendor site may have widespread effects for Any, Arkansas A copy of the DRBCP, Emergency Supply List and 3-days worth of materials will be kept at Any Bank’s alternate processing site located at the North Branch in Any, Arkansas Vendor Primary Location Lincoln, Nebraska Major Contingency Procedure Provide Hot Site for Information Technology Inc Banking System Data & Item Processing Elan (Shazam) Johnston, Iowa Move to alternate site in Atlanta, GA Federal Reserve Little Rock, AR Arrangements for moving cash orders and receipt as well as cash letter to the Federal Reserve Bank in Dallas, TX Information Technology Inc of 47 Documentation Purpose This agreement should be tested annually with the results documented in the Information Technology Committee and Board of Director’s minutes Results of annual testing should be provided to the Bank Results should also be made a part of the vendor’s file for the Bank’s annual vendor review Agreement with FRB and ABB Core Banking System ATMs & Debit Cards Cash Letter Cash Ordering Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year DRBCP RECOVERY OUTLINE STEP 1: Key management learns of a contingency or disaster STEP 2: The DR Team is formed The leader of the DR Team will decide the location(s) where the team will be formed, taking into consideration the current disaster Team notification will be accomplished via home telephone, cell phone, or runner The course of action will be decided and implemented STEP 3: Contingency Plan has been invoked The person responsible for Overall Command (or the next person in the chain of command) will handle media, regulatory notifications and communications Key areas for media notification include local radio, television, and newspaper Initial restoration of the core services (see below) is covered with an agreement with Name of your Data Processor Software to provide emergency data processing at their hot site in city, State One ANY Bank employee will go to City, State with backup media to restore the system Proof work will also be sent electronically or carried to item processing company’s hot site for item processing Remote deposit capture items will be retrieved electronically and processed at the hot site STEP 4: Any Bank data processing personnel are concurrently working to move operations to the branch Bank building in or gain delivery of a temporary building from MPA Systems, procure and install data lines, get telephone communications installed, etc Additionally, data processing personnel will handle bank PC setup (telnet, etc) and communications between the Data Processing Company emergency sites Primary disaster locations for each Bank location are listed below LOCATION CONTINGENCY LOCATION If the emergency or disaster affects the contingency location, Bank management will procure temporary building space in the nearest unaffected area/region STEP 5: Data processing personnel will be using insurance funds to procure a replacement server for Name of Your Banking System software The replacement server will be placed at the temporary building or other alternate site Network connectivity and PCs will be ordered and installed using the Bank's service provider STEP 6: Employee Internet access and other secondary banking activities will need to be coordinated STEP 7: New building construction should be started as soon as practical of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year PANDEMIC FLU The CDC estimates that a "medium-level" pandemic flu may cause up to 207,000 deaths in the United States, with another 725,000 hospitalizations and 20-47 million people being sick, with an economic impact in the range of $71 - $166 billion A pandemic flu could easily leave 25-30% of the workforce ill for an extended period The latest version of the flu believed to have pandemic potential is the avian H5N1 strain This strain has infected approximately 100 people since 1997, with half of those infected dying It has also caused the greatest number and most severe outbreaks among poultry in history Large numbers of wild birds are dying from this extremely deadly strain Although the strain does not jump easily from avian to human at this time, experts fear that it could evolve into a strain that spreads as easily as the normal flu Unlike most disaster scenarios, with pandemic flu, the Bank’s main concern is not the loss of equipment or operations facilities, but instead the people necessary to make it all work The enclosed items are part of the Bank plan to prepare for a pandemic that could leave the Bank without 30% of the workforce for weeks or months • Determine the impact that long-term illnesses will have on operations and update the plan accordingly This is included in the Business Impact portion of the plan • Appoint an emergency response team with defined roles and responsibilities This is included in the Bank’s disaster response team and emergency chain of command • Identify critical functions and essential employees required to continue normal operations by location This is identified in this plan in the employee succession plan • Cross train employees from multiple locations with minimal face-to-face contact to be able to fill these essential roles This is part of the risk mitigation controls for a potential Pandemic flu outbreak Cross training exercises will be conducted at least annually and documented • Determine what functions could be conducted remotely and provide for secure access in the event of a pandemic VPN Access is part of our mitigation controls for key employees • Review personnel policies for sick leave compensation and guidelines for when employees are allowed to return to work after a pandemic illness • Have posters and other material available to educate employees on proper hygiene in the event of virus outbreaks • Collaborate with local and national authorities to participate in the planning process and to be more aware of potential threats • The bank will notify the (city) Department of Health, Red Cross, and/or the CDC of suspected pandemic illness The bank will monitor news sources and sites such as www.who.int and www.cdc.gov to track possible pandemic outbreaks and levels of infection The CDC information number is 1-800-CDC-INFO • Communications with key/critical vendors will be accomplished using the emergency list of phone numbers in the appendix of this policy Bank employees will continue to update this plan with secondary vendor numbers Bank Precautions to Help Maintain the Workforce: • Review key personnel succession to make sure you have identified critical and non-critical daily duties and replacement personnel of 47 • • • • • Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Consider setting up secure remote connections (i.e VPN, etc.) so employees can work from home if necessary Employees should cover their mouth and nose with tissues (World Health Organization does not recommend cloth handkerchiefs) when you sneeze or cough Make sure tissues are disposed of promptly and properly Make a supply of surgical masks available at the drive-ups, teller lines, or other places where employees interface directly with customers Employees should frequently washing hand with soap and water Hand washing should last 20 seconds with hot water Keep an ample supply of anti-bacterial soap in public areas of the Bank Encourage employees to stay home if they are sick Employees should see a physician if illness continues Pandemic Outbreak Strategy: The Phase Levels to the WHO Pandemic Alert System: Level 1: 'Inter-Pandemic Phase' - There is Low Risk of Human Cases No bank action is required at this phase Level 2: 'Inter-Pandemic Phase' - There is Higher Risk of Human Cases The bank will continue with regular normal monitoring of WHO and CDC sites Level 3: 'Pandemic Alert' - No or Very Limited Human-to-Human Transmission The bank will remind employees of steps to take reduce pandemic risk such as hand washing, symptoms of the pandemic, etc Level 4: 'Pandemic Alert' - Evidence of Increased Human-to-Human Transmission The bank will continue to remind employees of steps to take maintain the workforce Supply levels of soap, tissues, masks, etc are verified Cross training and succession charts are reviewed and personnel are briefed on alternate responsibilities Alternative methods to work from home or other locations (VPN) are reviewed to ensure operability Level 5: 'Pandemic Alert' - Evidence of Significant Human-to-Human Transmission 10 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix H: Attachments • ATM Vendor – ATM Contingency 33 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix I: Key & Combination List Do not write codes on this list Store each code in a sealed envelope labeled accordingly and place it in an off-site safe deposit box with dual control access Indicate the box number and location of each envelope on this form In some cases, it may be necessary to store the codes in two secure locations Extra Safe Deposit Box keys in Safe Deposit Box # Door Key Codes stored at ANY (The master key & instructions are stored in the Fire Proof Cabinet in Operations) Fire Proof Cabinets - Vault combination codes: LOCATION Any (Main) Any (North) SECURE COMBINATION LOCATION 34 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix J: Emergency Evacuation Procedures BANK PROCEDURES: In the event that a disaster should occur or a warning is received of impending danger sufficient to warrant evacuation of the Bank, the Security Officer, Branch Manager, or Bank President will announce the implementation of evacuation procedures The supervisor in each area should proceed to see that the following steps are taken in their areas: LOAN DEPARTMENT: All personnel who have any notes al their desks are to return them to be placed in retardant note files The loan processor will see that the loan files are properly shut Each loan assistant will see that all official checks are placed in the vault TELLERS: Each teller will remove their cash drawer and proof work and place them in the vault The teller supervisor will see that all cashier checks, official checks, money orders, collection items, and travelers checks are placed in the vault The assistant teller supervisor will see that all deposit bags are placed in the vault Each CSR will see that all necessary items at their desk are placed in the vault The security officer will see that the vault is closed and locked DATA CENTER: Proof operator will end the current run and take unposted work to the evacuation site Data center manager will power down the servers or provide directions to the nearest operator GENERAL: The security officer or branch manager will be responsible for making an announcement that a bank-wide evacuation is in progress The Security Coordinator, branch manager, or Bank President will see that all items above have been completed and all employees have left the Bank and are en route to the designated evacuation site He or she will then secure the Bank facility, post the emergency door signs, and meet the employees at the designated evacuation site Once the employees have gathered, the security officer\branch manager\Bank president will be responsible for determining that all personnel are safe and accounted for The timing of a telephone call to the proper emergency authorities is to be determined by the Security Officer or Bank President based on the nature and severity of the event Designated Evacuation Sites: LOCATION EMERGENCY EVACUATION SITE 35 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix K: Disaster Telephone Answering Script TO: The Valued Customers of Any Bank RE: As you may know, we have suffered a disaster in our banking community Our main building has been _ (destroyed, damaged, etc.) by the recent (tornado, fire, earthquake, etc) We want you to know that your money is safe, secure, and available We will continue to provide you all cash and deposit services that you require Although this is a certainly a setback, we have planned and tested for this type of contingency many times Full services will be available very soon We are prepared to completely overcome this contingency without interrupting our service to you Please stay tuned to the local radio and television stations as we continue to provide updated information, post service locations and our extended hours to provide community banking services to our customers Sincerely, President Any Bank 36 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix L: Any Bank Incoming Line Numbers CenturyTel® provides all communications outside the Bank including voice, fax, and computer, through the following lines: 37 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix M: Startup, Shutdown, and End of Day Procedures STARTUP PROCEDURES 38 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year SHUTDOWN PROCEDURES 39 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year END OF DAY PROCEDURES DO NOT proceed with these instructions until you have completed all of your Proof of Deposit work, entered all new accounts, and have done any necessary File Maintenance 40 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix N: Detailed Directions to the SunGuard Disaster Recovery Hot Site: From: Any, Arkansas 72101 US To: 41 of 47 Little Rock National Airport Airport Rd Little Rock, AR 72202-4404 US Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year 42 of 47 Appendix O: Risk Assessment: BANK BUSINESS SYSTEM OR DEPARTMENT DISASTER OR CONTINGENCY DISASTER OR CONTINGENCY PROBABILITY IMPACT CONTROLS AND OTHER RISK MITIGATION FACTORS CONTROL FACTOR RATING TOTAL DISASTER RISK RATING Retail Banking Facilities Loss of building due to fire, earthquake, or tornado Employee training procedures on where to go during inclement or dangerous weather should help limit injury and loss of life DR Plan provides alternate bank buildings to support loss of a building/facility Restoration of services is prioritized according to disaster, i.e loan processing is important during a community event such as a tornado or earthquake, customer service is more important after a fire 0.5 3.50 Data Center Loss of data center due to fire, earthquake, or tornado Employee training procedures on where to go during inclement or dangerous weather should help limit injury and loss of life DR Plan provides for a contract with SunGard Data Recovery Services to provide a "bank in a trailer" The Bank has tested and stored off site data backups to recover to the SunGard server 0.25 1.50 Data Communications Loss of data communications circuits due to inclement weather such as lightning, tornado, earthquake, or security breach Alternate data routing using MPLS for processed banks helps mitigate loss of data paths Maintenance contracts with 24-hour replacement on critical network equipment Network IDS/IPS and firewalls are used to minimize data security breaches 0.5 3.50 Key computer and data processing systems Premier Server, Director, Imaging Equipment, Item Processing Equipment, Firewalls, Network Switches, Internet Access Equipment, etc Loss of key computer systems due to a security breach, virus outbreak, loss of electrical power, or malware infection Replacement PCs maintained at Bank locations, up to date antivirus/ antispyware, firewalls, and user education Employee training on manual Bank operations including balancing and other transactions Service contracts on all key/critical network equipment Backup internet connection at alternate location 0.25 1.25 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year BANK BUSINESS SYSTEM OR DEPARTMENT DISASTER OR CONTINGENCY DISASTER OR CONTINGENCY PROBABILITY IMPACT CONTROLS AND OTHER RISK MITIGATION FACTORS CONTROL FACTOR RATING TOTAL DISASTER RISK RATING Key Bank Leadership and Employees Loss of key personnel due to disease outbreak or pandemic such as bird flu 1.8 Employee training and awareness to help reduce the spread of contagious disase Bank procedures to handle customer service with mimimal interaction between employees and infected personnel Integrated efforts between local and regional health and medical departments and the Bank 0.5 2.90 Telephone Equipment Loss of telephone systems due to security breach, virus outbreak, loss of electrical power, or malware infection 1.8 Service contracts on telephone systems, backup list of cellular devices and PDAs to be used in an emergency 0.25 1.20 44 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix P: Floor Plan Drawings with Utility Shutoff Locations for each Bank: 45 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix Q: Specific Task Requirements of this Policy SCHEDULED TASKS REQUIRED BY THIS POLICY THE COMPLETION OF EACH TASK SHOULD BE FORMALLY DOCUMENTED IN COMMITTEE AND BOARD MINUTES TASK Review, revise, and approve of this policy Perform and document a complete test of the bank’s DR and BCP plan annually This test should ensure the involvement of key bank personnel and be as realistic as possible Review and approve the bank’s BCP and DR risk assessment Test the bank’s alternate item and data processing procedures Results should be documented Review and inventory the bank’s disaster and business continuity supplies Review and update employee list Review and update home and cell phone list Review and update listing of Board Members FREQUENCY Annually Annually RESPONSIBLE PERSON OR COMMITTEE ITPC and Board of Directors ITPC and Board of Directors Annually ITPC Annually ITPC and Board of Directors Annually ITPC and Board of Directors Semiannually ITPC Semiannually ITPC Annually or more often as required ITPC and Board of Directors DATE ACCOMPLISHED 46 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Review and update building evacuation procedures Review and update the bank’s list of critical vendors Review and test manual operations Annually or more often if a substantial building or operations change is made Annually ITPC Annually ITPC ITPC 47 of 47 ... Policy 46 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year OVERVIEW The objective of Any Bank Disaster Recovery and Business Continuity Plan (DRBCP) is to minimize... of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year Appendix H: Attachments • ATM Vendor – ATM Contingency 33 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN. .. STARTUP PROCEDURES 38 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year SHUTDOWN PROCEDURES 39 of 47 Any Bank DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN Month Year END OF