ZYC-BCP-001 Business Continuity & Incident Response Policy

Purpose

To ensure Zeyro can maintain critical operations and recover quickly from any disruption, protecting clients, staff, and regulatory obligations under the UK MiFID framework and the financial-promotion regime.

Scope

Applies to all Zeyro staff and systems supporting:

  • Financial-promotion approvals (cryptoasset and OFR)

  • Facilities-service arranging

  • Corporate, compliance, and governance operations

Core systems covered: Microsoft 365, Atlassian Suite, Rippling, and GitBook.

Policy Statement

Zeyro’s continuity model is built around cloud-based infrastructure and distributed teams. We prioritise:

  1. Staff safety and regulatory compliance.

  2. Continuity of client communications and approvals.

  3. Restoration of data and systems within defined recovery targets.

Recovery Time Objectives (RTOs):

  • FCA or client communications – 2 hours

  • Cryptoasset approvals – 4 hours

  • OFR fund approvals – 6 hours

All systems include built-in redundancy, encrypted storage, and cloud recovery options.

Key Controls

1. Preparedness

  • Critical data is hosted in Microsoft 365 and Atlassian systems, each providing geographic redundancy.

  • Emergency contact details and continuity roles are stored in the Business Continuity Register within Confluence.

  • Access credentials and permissions are reviewed quarterly.

2. Incident Response

Continuity may be activated by a serious IT outage, data loss, or key-person unavailability. Steps:

  1. Notify the MLRO immediately.

  2. Assess operational impact and determine activation.

  3. Communicate with staff, clients, and regulators if required.

  4. Recover using cloud backups and alternate systems.

  5. Record actions and improvements in the Lessons Learned Register.

3. Communication

  • Internal: Teams or phone if digital channels are down.

  • External: Clients and regulators via secure channels or alternate contacts.

4. Testing and Training

  • Annual tabletop test covering at least one realistic disruption scenario.

  • All staff receive continuity and incident-response training during onboarding and annually thereafter.

5. Review and Continuous Improvement

  • The policy is reviewed annually or after any incident activation.

  • Improvements are tracked through Jira Service Management.

Roles and Responsibilities

  • MLRO (SMF 16/17) – Business Continuity Lead; authorises activation and regulatory notifications.

  • Operational Staff – execute recovery procedures and maintain access control.

  • Zeyro Board – reviews overall continuity effectiveness and approves updates annually.

Document Control

Field

Details

Policy Code

ZYC-BCP-001

Policy Title

Business Continuity & Incident Response Policy

Document Owner

Gareth Malna – MLRO (SMF 16 & 17)

Responsible Reviewer(s)

Zeyro Board

Version

v 1.0

Date Approved

October 2025

Next Scheduled Review

October 2026

Change History

v 1.0 (Oct 2025): Consolidated BCP and Incident Response into unified framework using Microsoft 365, Atlassian Suite, Rippling, and GitBook as core systems.

Classification

Internal policy – distributed to all staff; available to regulators on request.

PreviousZYC-OUT-001 Outsourcing & Third-Party Risk PolicyNextCulture and HR

Last updated