(3 June 2024 – Australia) The Australian Prudential Regulation Authority (APRA) is stepping up a “supervisory focus on cyber resilience”, reminding companies they should periodically self-assess their information security practices.
APRA said although it noted many companies had a backup, there were common problems limiting their use including insufficient segregation between production and backup environments, a lack of control testing coverage and rigour to ensure backups are protected from compromise, and insufficient testing of capability to recover systems and data within tolerance levels from backups.
APRA operational resilience general manager Alison Bliss told companies the regulator expected to share insights into common areas of weakness in coming months. APRA had observed a key area of weakness in the use of data backups to protect entity data loss. UniSuper was crippled by a data outage after Google Cloud deleted the superannuation giant’s subscription and client data due to a failure by Google staff to configure a system. This forced UniSuper to restore its data, from a backup, causing days of outage.
“The use of regular backups is one of the Essential Eight prioritised cyber mitigation strategies,” Bliss said.