APRA issues warning on backups

The Australian Prudential Regulation Authority (APRA) has written to the banking, insurance and superannuation industry to warn about the critical role of data backups in cyber resilience.

It has emphasised the expectation that APRA regulated entities to review their backup arrangements and address any identified gaps promptly.

“Where APRA identifies common areas of weakness in entity cyber resilience practices APRA will share these insights with industry to help enable individual entities to self-assess and rectify weaknesses in their own cyber resilience in a timely manner. Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience.

“A key topic where APRA has observed weakness is the use of data backups to protect an entity against data loss. The use of regular backups is one of the Essential Eight prioritised cyber mitigation strategies.

“APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident.”

Problems highlighted included:

• Insufficient segregation between production and backup environments

• Insufficient control testing coverage and rigour to ensure backups are protected from compromise

• Insufficient testing of capability to recover systems and data within tolerance levels from backups