Cyber resilience is one of APRA’s supervision priorities. As the cyber threat landscape continues to evolve and escalate, all APRA-regulated entities must stay vigilant and proactively implement strategies to mitigate the risk and impact of potential cyber-attacks.
A key topic where APRA has observed weakness is the use of data backups to protect an entity against data loss.
On 3 June 2024 APRA published a letter to all APRA regulated entities on the issue of backups – stating “APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident”.
APRA’s letter and Appendix covers some common issues in backup practices – including insufficient segregation between production and backup environments, and lack of control testing coverage to ensure backups are protected.
Prudential Standard CPS 234, Information Security, and Prudential Practice Guide 234 provide both guidance and requirements for information security.