APRA sets cybersecurity and data backup standards

APRA sets cybersecurity and data backup standards | Insurance Business Australia

Cyber

APRA sets cybersecurity and data backup standards

Key issues in cyber backup practice revealed

Cyber

By
Roxanne Libatique

The Australian Prudential Regulation Authority (APRA) has sent a directive to all entities under its regulation, stressing the importance of data backups in ensuring cyber resilience.

APRA mandates that regulated entities evaluate their backup systems and promptly rectify any deficiencies found.

Cyber resilience as a supervisory focus

With the cyber threat environment continually changing, APRA said its regulated entities must adopt proactive measures to manage and mitigate cyber risks.

“As outlined in APRA’s Interim Policy and Supervision Priorities update, APRA will maintain its heightened supervisory focus on cyber resilience, ensuring that all entities meet the requirements in Prudential Standard CPS 234 Information Security (CPS 234). Regulated entities are also encouraged to periodically self-assess themselves against sound information security practices in Prudential Practice Guide CPG 234 Information Security (CPG 234),” it said.

The regulator said if it identifies weaknesses in entities’ cyber resilience practices, it will share these findings with the industry. This practice is intended to help entities self-assess and address vulnerabilities promptly.

“Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience,” it said.

Importance of data backups

APRA has highlighted the significance of data backups in protecting entities from data loss. Regular backups are a crucial element of the Essential Eight cyber mitigation strategies.

Recent supervisory activities have revealed that, despite having backup protocols, many entities face common issues that could compromise their effectiveness during incidents.

Expectations for backup review

APRA expects regulated entities to review their backup systems against the identified issues.

Should any gaps be discovered that could materially affect the entity’s risk profile or financial health, the regulator deems this a material security control weakness, which must be reported under paragraph 36 of CPS 234.

The regulator will continue to share information on identified weaknesses to help entities strengthen their cyber resilience.

APRA’s observation and guidance on cyber backups

Lack of segregation

APRA advised regulated entities to ensure  that backups are adequately isolated from the production environment to prevent simultaneous compromise.

“This should include access controls preventing any single account or person to have permission to modify or delete both production and backup,” it said.

Inadequate control testing

APRA urges entities to ensure robust testing programs to confirm that backups are protected from unauthorised access and alterations

Insufficient recovery testing

The regulator advised entities to validate that backup systems can recover critical business operations and technical systems within acceptable tolerance levels through comprehensive testing.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!