Australian Prudential Regulator highlights importance of cyber resilience

On 3 June 2024, the Australian Prudential Regulation Authority (APRA) wrote to all APRA-regulated businesses to highlight its cybersecurity expectations, particularly around data backups and data loss protection.

APRA urged companies to promptly review and close any gaps in practices that could hinder system recovery during the recovery phase of a cyber incident. In particular, referring to “Common issues that can limit the usefulness of backups in restoring systems during an incident”,

APRA has recommended companies:

• conduct regular self-assessment of security practices in APRA Prudential Guide CPG 234 (Information Security) (CPG234);
• Review your backup arrangements for the most common issues that limit the usefulness of backups during the recovery phase after a cyber incident:
  • insufficient separation between production and backup environments;
  • inadequate control tests to ensure that backups are protected from compromise; and
  • Inadequate testing of the ability to restore systems and data from backups within tolerance limits.

APRA found that:

• Gaps identified during a review of backup arrangements may constitute a reportable vulnerability under paragraph 36 of APRA Prudential Standard CPS 234 (Information Security) (CPS 234); And
• Using regular backups is one of the Essential Eight prioritized strategies to mitigate cyber risks.

APRA’s advice on how companies can resolve common problems

APRA’s checklist for ensuring the security and adequacy of data backup includes:

• Maintaining sufficient isolation of backups from the production environment so that a compromise of the production environment does not also compromise the backups. This includes preventing a single account from having permission to modify or delete both production and backup data (CPG 234, paragraphs 44 and 45);
• Ensuring that the test program confirms that the safeguards are effective and protected against unauthorized access, modification or alteration (CPG 234, paragraph 45 and Appendix G); and
• Ensure that the testing program validates that backup coverage is sufficient to enable recovery of critical business operations and that the technical capability to recover systems and data is within tolerance limits (CPG 234 and Appendix G).

APRA also referred companies to the Essential Eight Cybersecurity incident containment strategies for prioritized mitigation strategies for common vulnerabilities.

findings

APRA’s letter provides guidance to regulated entities on regulatory priorities as well as APRA’s expectations regarding the recovery phase following a cyber incident.

In particular:

• As the cyber threat landscape continues to evolve rapidly, APRA has emphasised the critical role of data backups in cyber resilience and regulated entities are now more expected than ever to demonstrate that they have taken vigilant and proactive steps to mitigate the risks and impacts of cyber attacks through their data backup practices.
• APRA has clarified that regulated firms are expected to self-assess (and remediate any weaknesses) their backup arrangements to enable efficient recovery of critical business operations under CPS 234 (i.e. to avoid errors and disruptions in controlling operational risks); and
• APRA has emphasised that weaknesses in data security may amount to a reportable event for ‘significant weaknesses in information security controls’ (under paragraph 36 of CPS 234) which must be notified to APRA no later than ten working days later.

We expect APRA to continue to emphasise the need to proactively assess itself, address any vulnerabilities and improve its cyber resilience.

APRA’s letter is in line with a general trend among several Australian regulators emphasising the importance of robust data security processes and practices when reviewing and ensuring compliance with Australia’s privacy, competition, corporate, telecommunications and critical infrastructure laws. APRA’s supervisory priority on data backups reminds APRA-regulated entities to proactively improve their data management processes and practices, not only to ensure efficient system recovery and minimal business disruption in the event of a cyber incident, but also as an essential part of meeting their CPS 234 obligations.

If you would like to discuss further how this might impact your business and how we can help you evaluate and improve current practices, please contact Julie Cheeseman or Hamish Fraser.