Security and adequacy of backups
To: All APRA regulated entities
Cyber resilience is one of APRA’s supervision priorities. As the cyber threat landscape continues to evolve and escalate, APRA-regulated entities must stay vigilant and proactively implement strategies to mitigate the risk and impact of potential cyber-attacks.
As outlined in APRA’s Interim Policy and Supervision Priorities update, APRA will maintain its heightened supervisory focus on cyber resilience, ensuring that all entities meet the requirements in Prudential Standard CPS 234 Information Security (CPS 234)1. Regulated entities are also encouraged to periodically self-assess themselves against sound information security practices in Prudential Practice Guide CPG 234 Information Security (CPG 234).
Where APRA identifies common areas of weakness in entity cyber resilience practices APRA will share these insights with industry to help enable individual entities to self-assess and rectify weaknesses in their own cyber resilience in a timely manner. Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience.
A key topic where APRA has observed weakness is the use of data backups to protect an entity against data loss. The use of regular backups is one of the Essential Eight2 prioritised cyber mitigation strategies.
APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident. A summary of common issues observed and relevant guidance from APRA’s Prudential framework is provided in the Appendix.
APRA expects regulated entities to review their backup arrangements against these common issues. If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234.
Given the fast-moving nature of cyber threats, APRA will continue to share information on any common areas of weakness in the future.
Please contact your supervisor should you have any questions regarding the content of this letter.
Yours sincerely,
Alison Bliss
General Manager, Operational Resilience
Cross Industry Division
Appendix – Security and adequacy of backups
Observations | Guidance |
| Maintain sufficient isolation of backups from the production environment so that a compromise of the production environment does not compromise backups. This should include access controls preventing any single account or person to have permission to modify or delete both production and backup (refer CPG 234, paragraphs 44 and 45; |
| Ensure testing program validates that backups are effective and protected from unauthorised access, modification or alteration (refer CPG 234, paragraph 45 and Attachment G; |
| Ensure testing program validates the backup coverage is sufficient to enable the recovery of critical business operations, as well as the technical capability to recover systems and data within tolerance levels (refer CPG 234 and Attachment G). |
Footnotes
1 Ongoing CPS 234 tripartite assessments continue to uncover several prevalent common cyber control gaps in industry.
2 The Essential Eight also provide additional prioritised mitigation strategies for common weaknesses.
Media enquiries
Contact APRA Media Unit, on +61 2 9210 3636
All other enquiries
For more information contact APRA on 1300 558 849.
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.