APRA sets cybersecurity and data backup standards
APRA sets cybersecurity and data backup standards | Insurance Business Australia
Cyber
APRA sets cybersecurity and data backup standards
Key issues in cyber backup practice revealed
Cyber
By
Roxanne Libatique
The Australian Prudential Regulation Authority (APRA) has sent a directive to all entities under its regulation, stressing the importance of data backups in ensuring cyber resilience.
APRA mandates that regulated entities evaluate their backup systems and promptly rectify any deficiencies found.
Cyber resilience as a supervisory focus
With the cyber threat environment continually changing, APRA said its regulated entities must adopt proactive measures to manage and mitigate cyber risks.
“As outlined in APRA’s Interim Policy and Supervision Priorities update, APRA will maintain its heightened supervisory focus on cyber resilience, ensuring that all entities meet the requirements in Prudential Standard CPS 234 Information Security (CPS 234). Regulated entities are also encouraged to periodically self-assess themselves against sound information security practices in Prudential Practice Guide CPG 234 Information Security (CPG 234),” it said.
The regulator said if it identifies weaknesses in entities’ cyber resilience practices, it will share these findings with the industry. This practice is intended to help entities self-assess and address vulnerabilities promptly.
“Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience,” it said.
Importance of data backups
APRA has highlighted the significance of data backups in protecting entities from data loss. Regular backups are a crucial element of the Essential Eight cyber mitigation strategies.
Recent supervisory activities have revealed that, despite having backup protocols, many entities face common issues that could compromise their effectiveness during incidents.
Expectations for backup review
APRA expects regulated entities to review their backup systems against the identified issues.
Should any gaps be discovered that could materially affect the entity’s risk profile or financial health, the regulator deems this a material security control weakness, which must be reported under paragraph 36 of CPS 234.
The regulator will continue to share information on identified weaknesses to help entities strengthen their cyber resilience.
APRA’s observation and guidance on cyber backups
Lack of segregation
APRA advised regulated entities to ensure that backups are adequately isolated from the production environment to prevent simultaneous compromise.
“This should include access controls preventing any single account or person to have permission to modify or delete both production and backup,” it said.
Inadequate control testing
APRA urges entities to ensure robust testing programs to confirm that backups are protected from unauthorised access and alterations
Insufficient recovery testing
The regulator advised entities to validate that backup systems can recover critical business operations and technical systems within acceptable tolerance levels through comprehensive testing.
Related Stories
Keep up with the latest news and events
Join our mailing list, it’s free!