KSS Information Memorandum 2021

Operations/ Finance

CIO

Operations

CIO

CIO/COO

CIO

CFO

Management

CIO

CIO

CIO

Board

Operations

Operations/ Finance

Tokenisation completed Dec19. Exploring remaining PCI administrative effort. Unchanged September 2017 Reviewed 30 th every month

Redeveloping quarterly DR tests in place

Ongoing with a focus on improving adoption in stubborn pockets March 2020

Deployment in progress 75% complete In progress/ redeveloping

In progress/redeveloping

DR strategy now consists of hybrid cloud on premis backup solution

Completed now scheduled for annual testing

- Transition to stored dan using Advam integration with Storman Risk mitigations: - Cards have a low limit of $5000. - Card purchases are reconciled against receipts monthly for ap proval by the Ops Manager Risk mitigation and Actions: - Digitise and catalogue in clo ud intranet (Sharepoi nt) Risk mitigation and Actions:

Risk mitigation and Actions: - Cash is r econciled daily with Statement. - Overn ight system checks Team Member accounts for transfer. - Centres use a cash pick up service for banking. Ri sk mitigations: - Float i s counted and recorded twice a day, once in the digital LOG Book

- Introduction of cyber security education programme and cyber incident response in progress. - Ex ploring Cyber Insurance Risk mitigation and Actions: - Redundancy plans are in place to run operations f rom THQ - Redeveloping DR design to run from cloud (hybrid) - Ri sk framework being redevel oped to account f or change in DR technol ogies Risk mitigation and Actions: - Low cas h hold ings through frequent banking. - In- house procedures and training in place. - Duress alarms onsite

Risk mitigation practices and actions: - Redesign network using SDWAN with multi redundant li nks Risk mit igation and Actions:

- Business operations easily implemented - with digital sign up platform - Back up plan in plac e to operate remotely with a near by sister centre - Team Support M anagers available to s tep in at short notice - Systems/access can be operated remo tely - Call centre available to continue bu siness - All the THQ Team are set up and home ready

Risk mitigation practices and actions: Websites run on multi avail ability infrastructure (auto redundant) Int ernal critical systems are backed up every 30 minutes and can be recovered or run from THQ as part of disaster recov ery design - Multi site nature makes a system wide crash unlikely Risk mit igation pra ctices and actions: - Tax services moved to PWC in 2017. - Watson and Erskine support FBT. Risk mitigation practices and actions: - Centres hav e regular site audits by Operations Managers. - Exceptions alert sweeps throu gh software finds anomalies. - Insurance cover - Continuous system upgrade - Segregation of duty - Whistle blowers are rewarded

- Annual Cyber Audits followed by rem ediation planning against evolving weaknesses and new exploits.

- Part of our annual audit practice is to check and confirm. - Multipl e Team Members co unting and recording float amount. Risk mitigation and Actions:

Unplanned outages and infected systems (virus) Ransomware • Critical outages of primary systems: Storman, Great Plains, Citrix • Website crash for extended periods stopping online ecommerce. Timely and accurate payment of tax obligations. Fraud by internal employees in 2 categories: 1. THQ employees 2. Centre team employees

No reduncy means critical outages impacting teams and customers at site level Fraud by customers, suppliers and public. Breach of systems and data. Cu stomer data privacy In the event a critical outage occurs

Based on 2020 COVID experience there is likely hood, a centre or number of centres could be forced to close temporarily for extended time. THQ could potentially be forced to close

All centres hold a cash float between $300 - $700 for change when a customer transacts using cash. CHD stored in Storman present major risk if compromised

All centres have a corporate credit card for the purchase of operational incidentals in place of petty cash.

Risk associated with: Residual paper (contracts) storage and insurance, pre digital agreement platform

Reliance on key individuals such as Sam Kennard. In-store team members could be confronted with violent hold-up attempts (probability is low).

Team members collect cash payments from customers for storage rent, box sales and miscellaneous.

- Pandemic

• Information Systems • Tax

• Health Risk

• Internal Fraud

• Cyber Breach

• Key Man Risk

• Armed Hold-up

• Cash Collection

• Cash Float

• CHDS

• Credit Card

• Paper Agreements

• Internet Outage (retail ops)

• External Fraud

• Catastrophic Data Centre Outage (servers)

69