Information Memorandum for Insurance Broking And Risk Manage

KENNARDS SELF STORAGE

Jeff Xanthos

CFO

Management

Jeff Xanthos

Jeff Xanthos

Jeff Xanthos

Board

Operations

Operations/ Finance

Operations/ Finance

Jeff Xanthos

Operations

Jeff Xanthos

Jeff Xanthos

Darren Marshall

Unchanged September 2017 Reviewed 30 th every month

DR strategy now consists of hybrid cloud on premis backup solution

Completed now scheduled for annual testing

Implementing 30% TBC 2020

Next audit May 2019

In progress/redeveloping

Tested April 2017

Tested 2020

Completed Dec 2019

Completed March 2020 March 2020

- Team adopted Microsoft Teams for conference calls and facilitating communication

Risk mitigation practices and actions: Websites run on multi availability infrastructure (auto redundant) Internal critical systems are backed up every 30 minutes and can be recovered or run from THQ as part of disaster recovery design - Multi site nature makes a system wide crash unlikely Risk mitigation practices and actions: - Tax services moved to PWC in 2017. - Watson and Erskine support FBT.

Risk mitigation practices and actions: - Centres have regular site audits by Operations Managers. - Exceptions alert sweeps through software finds anomalies. - Insurance cover - Continuous system upgrade - Segregation of duty - Whistle blowers are rewarded Risk mitigation practices and actions:

- Redesign network using SDWAN with multi redundant links Risk mitigation and Actions:

- Annual Cyber Audits followed by remediation planning against evolving weaknesses and new exploits. - Introduction of cyber security education programme and cyber incident response in progress. - Exploring Cyber Insurance Risk mitigation and Actions: - Redundancy plans are in place to run operations from THQ - Redeveloping DR design to run from cloud (hybrid) - Low cash holdings through frequent banking. - In-house procedures and training in place. - Duress alarms onsite Risk mitigation and Actions: - Risk framework being redeveloped to account for change in DR technologies Risk mitigation and Actions:

- Cash is reconciled daily with Statement. - Overnight system checks Team Member accounts for transfer. - Centres use a cash pick up service for banking. Risk mitigations:

- Float is counted and recorded twice a day, once in the digital LOG Book - Part of our annual audit practice is to check and confirm. - Multiple Team Members counting and recording float amount. Risk mitigation and Actions: - Transition to stored dan using Advam integration with Storman Risk mitigations: - Cards have a low limit of $5000.

- Card purchases are reconciled against receipts monthly for approval by the Ops Manager Risk mitigation and Actions: - Digitise and catalogue in cloud intranet (Sharepoint) Risk mitigation and Actions:

- Business operations easily implemented - with digital sign up platform - Back up plan in place to operate remotely with a nearby sister centre - Team Support Managers available to step in at short notice - Systems/access can be operated remotely - Call centre available to continue business - All the THQ Team are set up and home ready

Unplanned outages and infected systems (virus) Ransomware • Critical outages of primary systems: Storman, Great Plains, Citrix • Website crash for extended periods stopping online ecommerce. Timely and accurate payment of tax obligations. Fraud by internal employees in 2 categories: 1. THQ employees 2. Centre team employees

No reduncy means critical outages impacting teams and customers at site level Fraud by customers, suppliers and public. Breach of systems and data. Customer data privacy In the event a critical outage occurs

Reliance on key individuals such as Sam Kennard. In-store team members could be confronted with violent hold-up attempts (probability is low).

Team members collect cash payments from customers for storage rent, box sales and miscellaneous.

All centres hold a cash float between $300 - $700 for change when a customer transacts using cash. CHD stored in Storman present major risk if compromised

All centres have a corporate credit card for the purchase of operational incidentals in place of petty cash.

Risk associated with: Residual paper (contracts) storage and insurance, pre digital agreement platform

Based on 2020 COVID experience there is likely hood, a centre or number of centres could be forced to close temporarily for extended time. THQ could potentially be forced to close

- Pandemic

• Information Systems • Tax

• Internal Fraud

• Internet Outage (retail ops)

• External Fraud

• Cyber Breach

• Catastrophic Data Centre Outage (servers)

• Key Man Risk

• Armed Hold-up

• Cash Collection

• Cash Float

• CHDS

• Credit Card

• Paper Agreements

• Health Risk

Information Memorandum Kennards Self Storage June 2020 19