APRA “has observed weakness” in data loss protection

The Australian Prudential Regulation Authority (APRA) has outlined its expectations and backup practices guidelines for Australian businesses in its latest communication

On Monday the statutory authority highlighted the role of data backups in cyber resilience within the financial services industry in efforts to get APRA-regulated entities to check up on backup systems.

In its letter, APRA said, “As the cyber threat landscape continues to evolve and escalate, APRA-regulated entities must stay vigilant and proactively implement strategies to mitigate the risk and impact of potential cyber-attacks.”

APRA’s Interim Policy and Supervision Priorities update noted the organisation will continue to “maintain its heightened supervisory focus on cyber resilience” and encouraged businesses to “to periodically self-assess themselves against sound information security practices in Prudential Practice Guide CPG 234 Information Security (CPG 234).”

“Where APRA identifies common areas of weakness in entity cyber resilience practices APRA will share these insights with the industry to help enable individual entities to self-assess and rectify weaknesses in their own cyber resilience in a timely manner.

“Common areas of weakness will be shared through letters to industry and are anticipated to cover key topics in cyber resilience,” APRA stated.

APRA said it “observed weakness” in the way businesses dealt with data backups to  

A key topic where APRA has observed weakness is the use of data backups to protect an entity against data loss.

It highlighted that “the use of regular backups is one of the Essential Eight prioritised cyber mitigation strategies.”

“APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident.

“APRA expects regulated entities to review their backup arrangements against these common issues.

“If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234,” APRA said.

It continued to state that given the rising risks of cyber threats it “will continue to share information on any common areas of weakness in the future.”

See photos from the latest Digital As Usual event discussing all things cyber.

To learn more about cyber security check out the latest Digital As Usual report.