Australia’s prudential regulator has urged financial services businesses to maintain adequate data redundancy and disaster recovery processes after it observed weaknesses in regulated entities’ use and maintenance of backups.
In a letter issued to all regulated entities on Monday, APRA’s general manager of operational resilience Alison Bliss said that the watchdog, during its recent supervisory activities, had borne witness to “common problems that can limit the usefulness” of critical backups that may be used to restore systems after a major incident.
Three critical concerns were flagged by the regulator in its observations, including that there was:
- insufficient segregation between production and backup environments – one that ensures that a compromise or breach of the production environment does not compromise backups;
- insufficient control testing coverage and rigour to ensure backups are protected from compromise, ensuring that backups are effective and protected from unauthorised access, modification or alteration; and
- insufficient testing of the capability to recover systems and data within tolerance levels from backups, enabling the recovery of critical business operations, as well as the technical capability to recover systems and data within tolerance levels.
Bliss warned that the APRA “expects regulated entities to review their backup arrangements against these common issues” based on their commitment to Prudential Standard CPS 234 Information Security (CPS 234).
“If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234.”
She further noted that APRA will maintain its heightened supervisory focus on cyber resilience, ensuring regulated entities meet the expectations set out in CPS 234 – as outlined in the regulator’s Interim Policy and Supervision Priorities update issued in January this year.
The maintenance of regular backups, Bliss added, is also one of the prioritised Essential Eight cyber mitigation strategies.
APRA’s reminder comes less than a month after superannuation fund UniSuper, which counts more than 600,000 members, suffered a nearly week-long outage as a result of a mishap caused by its cloud provider, Google Cloud.
Despite Google copping deserved blame, experts also observed that the super fund did not have a sufficient and readily available external backup for disaster recovery, resulting in a prolonged recovery process and the likelihood of data being lost.
