The Australian Prudential Regulation Authority (APRA) has sent a directive to all entities under its regulation, stressing the importance of data backups in ensuring cyber resilience.
This directive is part of APRA’s broader strategy to enhance cyber resilience across the industry, as highlighted in its Interim Policy and Supervision Priorities update.
The letter addressed recurring issues in current backup practices that could affect system restoration during a cyber event.
APRA mandates that regulated entities evaluate their backup systems and promptly rectify any deficiencies found.
With the cyber threat environment continually changing, APRA said its regulated entities must adopt proactive measures to manage and mitigate cyber risks.
“As outlined in APRA’s Interim Policy and Supervision Priorities update, APRA will maintain its heightened supervisory focus on cyber resilience, ensuring that all entities meet the requirements in Prudential Standard CPS 234 Information Security (CPS 234). Regulated entities are also encouraged to periodically self-assess themselves against sound information security practices in Prudential Practice Guide CPG 234 Information Security (CPG 234),” it said.
See LinkedIn post here.
The regulator said if it identifies weaknesses in entities’ cyber resilience practices, it will share these findings with the industry. This practice is intended to help entities self-assess and address vulnerabilities promptly.
“Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience,” it said.
APRA has highlighted the significance of data backups in protecting entities from data loss. Regular backups are a crucial element of the Essential Eight cyber mitigation strategies.
Recent supervisory activities have revealed that, despite having backup protocols, many entities face common issues that could compromise their effectiveness during incidents.
APRA expects regulated entities to review their backup systems against the identified issues.
Should any gaps be discovered that could materially affect the entity’s risk profile or financial health, the regulator deems this a material security control weakness, which must be reported under paragraph 36 of CPS 234.
The regulator will continue to share information on identified weaknesses to help entities strengthen their cyber resilience.
APRA advised regulated entities to ensure that backups are adequately isolated from the production environment to prevent simultaneous compromise.
“This should include access controls preventing any single account or person to have permission to modify or delete both production and backup,” it said.
APRA urges entities to ensure robust testing programs to confirm that backups are protected from unauthorised access and alterations
The regulator advised entities to validate that backup systems can recover critical business operations and technical systems within acceptable tolerance levels through comprehensive testing.