I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.
On 3 June 2024, the Australian Prudential Regulation Authority (APRA) wrote to all APRA-regulated entities to emphasise its expectations regarding cybersecurity, specifically relating to data backups and protection against data loss.
APRA called for businesses to promptly review and address gaps in any practices which could impede system restoration during the restoration phase of a cyber incident. Referring particularly to “common problems that can limit the usefulness of…backups in restoring systems during an incident”,
APRA has recommended businesses:
periodically self-assess themselves against the security practices in APRA Prudential Guide CPG 234 (Information Security) (CPG 234);
review their backup arrangements against the common problems which limit the usefulness of backups during the restoration phase following a cyber incident:
insufficient segregation between production and backup environments;
insufficient control testing coverage and rigour to ensure backups are protected from compromise; and
insufficient testing of capability to recover systems and data within tolerance levels from backups.
APRA has noted that:
gaps revealed by a review of backup arrangements may be a notifiable weakness under paragraph 36 of APRA Prudential Standard CPS 234 (Information Security) (CPS 234); and
the use of regular backups is one of the Essential Eight prioritised cyber mitigation strategies.
Guidance from APRA on how businesses can address common problems
APRA’s checklist of ensuring security and adequacy of backup include:
maintaining sufficient isolation of backups from the production environment so that a compromise of the production environment does not compromise backups. Including preventing any single account having permission to modify or delete both production and backup (CPG 234, paragraphs 44 and 45);
ensuring that the testing program validates that backups are effective and protected from unauthorised access, modification or alteration (CPG 234, paragraph 45 and Attachment G); and
ensuring that the testing program validates the backup coverage is sufficient to enable the recovery of critical business operations, as well as the technical capability to recover systems and data within tolerance levels (CPG 234 and Attachment G).
APRA has also referred entities to the Essential Eight Strategies to Mitigate Cyber Security Incidents for prioritised mitigation strategies for common weaknesses.
Takeaways
APRA’s letter contains guidance for regulated entities regarding regulatory priorities as well as APRA’s expectations regarding the restoration phase of a cyber incident.
In particular:
as the cyber threat landscape continues to evolve at rapid levels, APRA has stressed the critical role of data backups in cyber resilience and that regulated entities are expected now more than ever to demonstrate they have taken vigilant and proactive steps to mitigate risk and impacts of cyber-attacks through their data backup practices;
APRA has clarified that regulated entities are expected to self-review their backup arrangements (and close the gap on any weaknesses) to enable efficient recovery of critical business operations as part of CPS 234 (i.e. to avoid operational risk control failures and disruptions); and
APRA has emphasised that weaknesses in data backup practices may equate to a notifiable event due to ‘material information security control weakness’ (as per paragraph 36 of the CPS 234), requiring notification to APRA no later than 10 business days.
We expect that APRA will continue to stress the need for entities to proactively self-assess, rectify any weaknesses and improve their cyber resilience.
APRA’s letter is consistent with the broader trend of several Australian regulators emphasising the criticality of robust data security processes and practices when reviewing and ensuring compliance with Australia’s data protection, competition, corporations, telecommunications, and critical infrastructure laws. APRA’s supervision priority on data backups reminds APRA regulated entities to proactively improve their data management processes and practices, not only to ensure efficient system restoration and minimal business disruptions in the event of a cyber incident, but also as an essential part of discharging their CPS 234 obligations.
Should you wish to further discuss how your business may be affected and how we might help you to assess and refine current practices, please reach out to Julie Cheeseman or Hamish Fraser.