Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Australia: APRA issues letter on cyber security and adequacy of backups

On June 3, 2024, the Australian Prudential Regulation Authority (APRA) issued a letter to all APRA-regulated entities on the role of data backups in enhancing cyber resilience.

Expectations for regulated entities

The letter highlighted the importance of data backups as a fundamental component of cyber resilience and one of the prioritized cyber mitigation strategies, essential for protecting entities against data loss.

Specifically, the letter noted that entities must review their backup arrangements against common issues identified by APRA and address gaps that could materially impact the entity’s risk profile or financial soundness. Further, the letter explained that organizations are expected to comply with Prudential Standard CPS 234 Information Security (CPS 234) and periodically self-assess against the best practices in Prudential Practice Guide CPG 234 Information Security (CPG 234).

Guidance for organizations

The letter details common problems observed in backup practices that could impede system restoration during a cyber incident. In this regard, the APRA recommended:

  • maintaining sufficient isolation of backups from production environments to prevent a single account or person from having permission to modify or delete both;
  • a robust testing program to validate that backups are effective and protected from unauthorized access or alteration; and
  • testing programs should validate that backups cover all critical business operations and can recover systems and data within tolerance levels.

You can read the press release here and the letter here.