BUSINESS CONTINUITY PLAN

This plan has been designed to prepare P2P Nusa Kapital Sdn Bhd to cope with the effects of an emergency or crisis. It is intended that this document will provide the basis for a relatively quick and painless return to “business as usual” regardless of the cause.
A. Emergency Contact Persons
P2P Nusa Kapital sees two emergency contact persons. Namely:
(1) Chief Executive Officer
Name
:
Dr. Shahridan Faiez
Contact No
:
+6019 263 8518
Email
:
[email protected]
(2) Chief Financial Officer
Name
:
Izmi Marican
Contact No
:
+6012 484 5555
Email
:
[email protected]
P2P Nusa Kapital will promptly notify the Securities Commission of any changes within 30 days following the change. We will review and update this information within 21 business days following the end of each calendar year.
B. Firm’s Policy
In the event of a Significant Business Disruption (SBD), we expect this document to
  • Minimize the risk of damage to the firm’s property and injuries or deaths of the firm’s employees and to
  • Minimize disruption to the firm’s operations by quickly recovering and resuming business operations.
This includes allowing our clients to transact and protecting all of the firm’s books and records. Should circumstances dictate that we are unable to resume operations permanently, we will assure customers prompt access to their funds and securities. This plan will be executed on the authority of the Managing Partner and will be stored in hard copy at our offices and in soft copy on the cloud server. All employees will have access to this plan online or otherwise.
1) Significant Business Disruptions (“SBD”)
Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as any event of Force Majeure, being any event beyond the reasonable control of the obligated party, including but not limited to, acts of God, extreme weather or acts of third parties. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of our Trustee.
2) Approval and Execution Authority
Dr. Shahridan Faiez, Chief Executive Officer, is responsible for approving the plan and for conducting the required annual review Dr. Shah has the authority to execute this Business Continuity Plan (“BCP”).
3) Plan Location and Access
Our firm will maintain copies of its BCP plan and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located on our physical backup server and cloud server, as provided by Dropbox, Inc. in the Emergency Information folder.
C. Business Description
Our firm conducts business in the provision of Shariah-compliant financing to firms through peer-to-peer networks. Financing is provided to the issuers through a Murabahah or a Mudharabah structure. As P2P Nusa Kapital is an introducing firm, we do not perform transactions for ourselves or others. Instead, this role is fulfilled by a trustee organization, Pacific Trustees Berhad (Company No. 317001-A).
D. Office Locations
(1) Operational Office
72A, Jalan Medang Tanduk,
59100 Bangsar,
Kuala Lumpur, Malaysia
Our employees within the city may travel to the office by means of car, bus and train. This office functions as the head office and is the venue of much of the processing of issuers and investors.
(2) Alternative Office
146 Jalan Ara,
59100 Bangsar,
Kuala Lumpur, Malaysia
Should the need arise, employees may be asked to work from an alternative office as stated above.
Our employees within the city may travel to the office by means of car, bus and train and may arrive from the KL office by flight.
E. Alternative Physical Location(s) of Employees
In the event of an SBD, staff may be required to work from home or at an alternative site wherein all the infrastructure (mainly internet) is available successfully continue our business. This allows them to remain in their respective cities, where our stakeholders are domiciled. Should the need arise, they may be allocated a working space at one of the other offices.
F. Customers’ Access to Funds and Securities
P2P Nusa Kapital does not maintain custody of customers’ funds. Funds are maintained by our Trustee. In the event of an internal or external SBD, if telephone service is available, our registered persons will take customer orders or instructions and contact our Trustee on their behalf, and if our Web access is available, our firm will post on our website that customers may access their funds and securities by contacting an agent of the firm via telephone or email. Should our firm be uncontactable, customers may elect to contact the trustees directly. The firm will make this information available to customers through its disclosure policy. We may also provide our books and records which may result in the identification of customers subject to regulations and legal orders.
G. Data Back-Up and Recovery (Hard Copy and Electronic)
Our production site is configured to automatically perform backups on a daily basis. In the event of an internal or external SBD that causes the loss of our digital or physical records, the site is automatically configured to retrieve the backups and reset without human intervention required. The system administrator will be notified with the relevant log reports to be follow up where necessary.
In addition, at any point in time, there are at least concurrent development site that will be able to replace the production site where necessary. This arrangement is also necessary to prevent unforeseen errors while developing updates for the site. In order for us to utilize the development sites, only a change in the DNS is required and this will limit the site downtime.
Copies of the daily electronic records are synchronized across our physical storage device located at 72A, Jalan Medang Tanduk, 59100 Bangsar, Kuala Lumpur and our online cloud server as provided by Dropbox, Inc.
Dropbox files are encrypted with industry standard 256-bit Advanced Encryption Standard (AES). Data in transit during syncing are protected with Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Files will only be shared with authorized parties in order to restrict the proliferation of sensitive information. Dropbox Inc. regularly tests its infrastructure and systems for security vulnerabilities in order to enhance securities and protect against attacks. In addition, we will be using the two-step verification at login for our Malaysian operations in due course.
Files stored in the physical storage device located at 72A, Jalan Medang Tanduk, 59100 Bangsar, Kuala Lumpur will be encrypted with its own proprietary encryption.
Our firm maintains its primary hard copy books and records at 72A, Jalan Medang Tanduk, 59100 Bangsar, Kuala Lumpur. Izmi Marican, Chief Financial Officer, is responsible for the maintenance of these books and records.
Online records are backed up by paper records and backups are conducted once every six months.
H. Financial and Operational Assessments
(1) Operational Risk
Due to the nature of our business, we are required to maintain communications with our clients and retrieve key activity records through our mission critical systems. In the event of an SBD, we will immediately identify all means of communication still available with our clients, employees, regulators and other key stakeholders. In addition, we will retrieve our key activity records as described in the section above, Data Back-Up and Recovery (Hard Copy and Electronic).
(2) Financial and Credit Risk
In the event of an SBD, we will determine the value and liquidity of our investments and other assets to evaluate our ability to continue to fund our operations and remain in capital compliance. We will contact our Trustee, banks and investors to apprise them of our financial status. If we determine that we may be unable to meet our obligations to those counter-parties or otherwise continue to fund our operations, we will request additional financing from our bank or other credit sources to fulfill our obligations to our customers and clients. If we cannot remedy a capital deficiency, we will file appropriate notices with the regulators and immediately take appropriate steps.
I. Alternate Communications Between the Firm and Customers, Employees, and Regulators
(1) Investors and Counterparties
Official communication between the firm and its present investors and issuers is via email. However, should an SBD render the internet unavailable, we will communicate with the other party through telephone. Should a written record be necessary, we will follow up this line of communication with a paper copy delivered by mail.
(2) Employees
We communicate with our employees via email or Slack (an online office communicator) at present. Should there be no internet access, we will communicate via telephone.
(3) Regulators
We would typically contact regulators via email. However, should an SBD render that inappropriate, we will explore other open communication lines such as phone calls or written communication.
J. Critical Business Constituents, Banks, and Counter-Parties
(1) Business constituents
In light of an SBD, vendors supporting our operating activities will be advised on the extent to which we are able to resume our business relationship with them. We will establish alternative arrangements if the SBD impedes their ability to provide the goods to us when we need them.
(2) Banks
We will contact our banks to determine if they can continue to provide the services that we will need in light of the internal or external SBD.
K .Disclosure of Business Continuity Plan
Attached is our written BCP disclosure statement we will provide customers (via email) before deals. We will also post the disclosure statement on our website and mail it to customers upon request.
L. Updates and Annual Review
Our firm will update this plan whenever we have a material change to our operations, structure, business or location or to those of our Trustee. In addition, our firm will review this BCP annually, on 30 April, to modify it for any changes in our operations, structure, business or location or those of our Trustee.
M. Senior Manager Approval
I have approved this Business Continuity Plan as reasonably designed to enable our firm to meet its obligations to customers in the event of an SBD.
P2P Nusa Kapital’s Business Continuity Planning
P2P Nusa Kapital has developed a Business Continuity Plan on how we will respond to events that significantly disrupt our business. Since the timing and impact of disasters and disruptions is unpredictable, we will have to be flexible in responding to actual events as they occur. With that in mind, we are providing you with this information on our business continuity plan.
Contacting Us – If after a significant business disruption, you cannot contact us as you usually do at our phone number or email, you should call our alternative number or go to our website at www.nusakapital.com.
Our Business Continuity Plan – Business continuity planning is a priority for P2P Nusa Kapital. We understand any unexpected operating problems could have a significant negative impact on investors’ assets and overall operations of P2P Nusa Kapital. Therefore, this is an area which will be prioritised and constantly developed.
P2P Nusa Kapital’s business continuity process will include the following:
  1. Maintain backup of business-critical data outside our operating region to ensure that business disruption will be kept to a minimum in case of a disaster within our office location.
  2. Apart from having all data saved up in a physical storage in our office, we have and will continue to back up our data through cloud service provider Dropbox. We believe the benefits of Dropbox cloud storage for backup are the following
    • Ease in accessing information through desktop and mobile As our services will be largely offered online, we have the flexibility of carrying out our work in a different location (where internet services are available), should a disaster hit our office area.
    • Locations of data centres across the United States. Being in a different region and in several US states, provides risk diversification versus having only back up storage located in Malaysia or in neighbouring
    • Ease in collaboration and file-sharing among employees, which is crucial in a disaster situation wherein employees may have to work in different locations.
  3. In addition our service level agreement with our cloud servers providers includes a 99.9% network & hardware service level agreement. This includes the following systems in
    • Malware protection & scanning done by a combination of automated malware scans, integrity checks and web application
    • Brute force attacks are monitored and intrusions are prevented on both the server layer & web application
    • Server is configured for elastic demand to cope with unexpected traffic request.
    • Data storage is configured with a CDN delivery network to ensure reachable access regardless of user
Varying Disruptions – Significant business disruptions can vary in their scope, such as only our firm, a single building housing our firm, the business district where our firm is located, the city where we are located, or the whole region.
Within each of these areas, the severity of the disruption can also vary from minimal to severe. In a disruption to only our firm or a building housing our firm, we will transfer our operations to a local site when needed and expect to recover and resume business within a 24 hours’ time period. In a disruption affecting our business district, city, or region, we will transfer our operations to a site outside of the affected area, and recover and resume business within a 24 hours’ time period.
In either situation, we plan to continue in business, transfer operations to our trustee if necessary, and notify you through our website at www.nusakapital.com and our customer emergency number on how to contact us. If the significant business disruption is so severe that it prevents us from remaining in business, we will assure our customer’s prompt access to their funds.