MGIC BUSINESS CONTINUITY PROGRAM Mortgage Guaranty Insurance Corporation ("MGIC") and its affiliates recognize the importance of maintaining a viable business continuity strategy and have developed a comprehensive business continuity program ("Program") designed to prevent interruptions in the business operations. MGIC's Business Continuity Planning Process The business continuity planning involves the entire company including MGIC-Australia initiatives. The Program is reviewed and approved by MGIC s Board of Directors (or a Board committee) and by senior management. It is directed by the SVP Information Services/Chief Information Officer and the Vice President Information Services - Chief Information Security Officer and administered by two full-time certified Business Continuity Coordinators dedicated to the development, execution and on-going testing of business continuity/recovery plans for all business units within MGIC, as well as the overall network and system infrastructure. Funding for the Program is through the Information Services Department and covers internal corporate and external business continuity expenditures, including personnel, equipment and services that would be needed to prepare for and respond to a business interruption. Plans are developed based on the full loss of MGIC s operational facilities, but also on the basis of a partial loss of such facilities. At time of an incident, an assessment by the MGIC Management Incident Response Team (MIRT), may result in either a full or partial activation of the business recovery plan(s). The highest-level business recovery team is the MGIC Management Incident Response Team (MIRT). The MIRT is responsible for driving the continuity initiatives for MGIC in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MGIC s Critical business processes Example of a full activation: destruction of facilities within MGIC's headquarters where data processing and finance functions are conducted. Example of partial activation: closing of a remote location due to environmental conditions, or loss of a business function caused by an isolated incident, requiring the relocation of personnel and services. MGIC conducts Business Impact Analysis to determine the Maximum Tolerable Outage (MTO) for each business processes. The MTO is the maximum time a business process can remain unavailable before its loss starts to have an unacceptable impact on the goals or survival of the organization. Recovery plans which include Recovery Time Objectives (RTOs) are developed and prioritized based on BIA results. Recovery plans for Critical business processes are reviewed every two years or as needed in response to new or changing business unit requirements. Call trees and personnel contact lists are updated each quarter and tested at minimum on an annual basis using MIR3, MGIC s Emergency Notification Tool. Program funding requirements are reviewed periodically. Critical business processes consist of but are not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect. Page 1
Customer Communication following a Business Interruption Declaration E-mails will be sent to all MGIC customer contacts in a timely fashion. Subsequently, information will be available by calling MGIC's Customer Service Department at 1-800-424-6442. Program Objectives The principal objectives of the Program are to: Recover MGIC s Critical business processes within 24 hours of a business interruption declaration. Satisfy obligations and commitments to safeguard the confidential information of MGIC, the customers, employees, and other business associates throughout the business resumption process. Minimize adverse financial consequences associated with an interruption of business operations. Business Continuity Team Hierarchical Structure Business continuity is based on a three level team structure. Level 1 Leaders (L1s), a.k.a. the Management Incident Response Team (MIRT), are responsible for overall management and direction of the Program and response to a business interruption. L1s are responsible for approving corporate-wide high level strategy for business continuity and reporting on its status to executive management and the Boards of Directors of MGIC and its affiliates. They approve allocation of funds and resources for these purposes. At the time of a business interruption, they notify persons who need to be mobilized, declare or cancel the assessment of the business interruption, activate emergency responses and resolve questions that arise in the response to the business interruption. Level 2 Leaders (L2s) are responsible for direction of the critical business processes if a business interruption is declared. L2s provide guidance in planning, promote awareness of the Program within MGIC, review and approve elements of planning and participate in testing the Program. At the time of a declaration, they assist the L1s in mobilizing resources and activating emergency responses. Level 3 Leaders (L3s) are responsible for tactical planning and recovery of business processes if a business interruption is declared. L3s create business continuity plans for their teams, review their plans and participate in testing and establish priorities for recovery within their Critical business processes. At the time of a declaration, they Page 2
mobilize team members, conduct recovery team meetings, prioritize recovery initiatives, support recovery efforts and report on their status within their areas of responsibility. MGIC Command and Control (diagram below) At time of a business interruption declaration, Level 1 Leaders will organize into a command and control structure similar to the Incident Command System (ICS). The Incident Command System is a well organized team approach for managing critical incidents. It has been in practice for over 35 years and is used today by Federal, State, County and local emergency response agencies. ICS is being widely adopted by the private sector. MGIC uses a hierarchical team structure for business recovery marked by clear separation of duties, decision making and communication in order to maximize the efficiencies of the recovery teams. The highest-level business recovery team is the Management Incident Response Team (MIRT). The MIRT is responsible for driving the recovery initiatives for MGIC in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MGIC s Critical business processes. The MIRT is led by SVP Information Services/Chief Information Officer, who has primary responsibility for the Program, together with the Vice President Information Services - Chief Information Security Officer. Their primary roles and responsibilities include: Declare or cancel the assessment of the business interruption. MGIC will declare a business interruption when natural occurrences, technological problems or other Page 3
emergencies interrupt the operations of a critical business process of MGIC, resulting in the time to resume the critical business process exceeding the Maximum Tolerable Outage (MTO) of that critical business process. Activation of the Emergency Operations Center (EOC). The EOC is a pre-defined location that is activated in a business interruption or emergency from which the overall command, control, communication and coordination are conducted. Supervision and management of the MIRT. Management and monitoring of overall recovery efforts. Authorization and prioritization of all recovery efforts. Recovery Process MGIC s goal is to recover all Critical business processes within a recovery time objective of 24 hours from declaration of a business interruption. Critical business processes consist of but not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect. Business Recovery Plans are developed for all Critical business processes. Every three years a complete evaluation is undertaken to define these business functions within MGIC. MGIC protects all electronic and hard-copy "Production" information for the purposes of recovering MGIC's Critical business processes in the event of a business interruption. To ensure an uninterrupted power supply, MGIC has installed diesel powered generators that take over within 15 seconds if a sub-standard power supply is identified. Recovery Data Center - MGIC owns or leases all equipment necessary to recover MGIC's computing environment. This equipment is installed and in a rapid recovery state within a leading co-location hosting services company 90 miles from MGIC s Corporate Headquarters. MGIC owns and maintains an Emergency Operations Center (EOC) as well as office ready workspace which addresses the operational requirements for its Milwaukee based workforce. This workspace includes: desks, PCs, phones, printers, scanners, copiers, direct connectivity to the recovery data center and wireless access for additional connectivity. Functional business recovery exercises are conducted at minimum on an annual basis leveraging the office ready recovery workspace connected directly to the co-location recovery center. Participants execute recovery plans that include the complete loss and recovery/continuation of MGIC s Critical business processes.. MGIC establishes an Emergency Operations Center in the event of a business interruption. MGIC's business recovery plan is developed to support three distinct phases of the business interruption: response; recovery; and resumption of business. (See diagram) Page 4
Phases of a Disaster RESPONSE RECOVERY RESUMPTION Emergency Response BCT Command and Control Decision for Declaration Invoke manual procedures for business continuance Recover Critical Business Functions Resume full daily activities of critical functions Address non-critical business functions Address migration or return to permanent facility Event occurs Declaration Critical Functions operational w/current date RTO - Recovery Time Objective Business interruptions at a Customer s Location: An event could interrupt business operations of the customers of MGIC and its affiliates, consisting of mortgage lenders and servicers. The insurance operations of MGIC and its affiliates do not involve direct contact with borrowers whose loans are insured or require physical presence at the insured s property. Therefore, MGIC does not need to deliver personnel, equipment or other resources to the site of a customer's business interruption. MGIC's contacts are almost entirely with lenders which submit loans for insurance and loan servicers who collect mortgage payments and handle and report to MGIC defaults and foreclosures. Those servicers remit premiums to MGIC and report the status of the loan default to MGIC primarily by electronic means, but they can also remit premiums by other methods of payment and report and communicate with MGIC by mail, fax, phone and other customary forms of delivery. MGIC communicates with lenders and servicers and makes claim payments by electronic means, but also by the other above-mentioned means customarily used. MGIC's internal operations at its corporate headquarters and remote field facilities would continue after an event affecting a customer because they are independent of the event impacting the customer. These operations include fraud investigation, claims, premium processing, and underwriting. In particular, MGIC could conduct fraud investigations even after an event affecting a customer in substantially the same way it conducts them before the event, because they are conducted primarily on the basis of files and information available at MGIC's offices and Page 5
incidentally by direct contacts with customers and other persons and public records. Those contacts generally can be conducted as described above by various means that should remain available even if the customer is affected by an event. Fraudulent activities can then be reported to regulatory authorities under MGIC's current procedures. Impacted customers can leverage numerous pre-existing communication methods offered by MGIC to continue business. (i.e. internet, fax, traditional mail, electronic mail and telephones) BUSINESS CONTINUITY PROGRAM (6/15)- ljm Page 6