Newspaper icon
The latest issue of Financial Standard now available as an e-newspaper

APRA warns entities on adequacy of backup systems

APRA has reminded its regulated entities of the need to remain vigilant when it comes to cyber resilience, identifying the use of data backups as a weak spot.

In a letter to all APRA-regulated entities, the regulator highlighted areas of weakness that it has identified through supervisory activities in entities' cybersecurity systems. It comes as APRA continues its assessment of entities' compliance with CPS 234 Information Security.

It said a key area of weakness is the use of data backups to protect an entity against data loss, noting that the use of regular backups is one of the 'Essential Eight' cyber mitigation strategies outlined by the government's Australian Signals Directorate.

"APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident," it said.

Three main problems were highlighted by the regulator, the first being insufficient segregation of production and backup environments. APRA explained that this can result in backups being compromised when the production environment is compromised. It added that in ensuring sufficient isolation it should also include access controls to prevent a single account or person being able to modify or delete production or backup environments.

APRA said it has also observed insufficient control testing coverage and rigour to ensure backups are protected from compromise. It said organisations should ensure the testing program "validates that backups are effective and protected from unauthorised access, modification or alteration."

Finally, APRA said it has observed insufficient testing of capability to recover systems and data from backups. It warned companies should ensure the backup coverage is sufficient to enable the recovery of critical business operations, as well as technical capability to recover systems and data.

"APRA expects regulated entities to review their backup arrangements against these common issues. If the review identifies gaps that could materially impact the entity's risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234," APRA said.

Paragraph 36 of CPS 234 requires APRA-regulated entities to notify APRA within 10 business days of becoming aware of a material information security control weakness.

This warning from APRA follows the recent UniSuper outage, the result of Google Cloud inadvertently deleting the super fund's private cloud. While the super fund had backups in place with another provider, it still took more than two weeks for UniSuper's complete online offering to be restored.

It was also confirmed that some data was lost, "predominately related to [the fund's] internal operating processes."

Read more: APRACPS 234UniSuperGoogle Cloud