Home / Security Services / Cyber Security /
In a communication addressed to all regulated entities, the regulatory body has underscored vulnerabilities identified in cybersecurity systems through its supervisory efforts. This alert coincides with APRA’s ongoing evaluation of entities’ adherence to CPS 234 Information Security standards.
A significant area of concern outlined pertains to the efficacy of data backups in safeguarding entities against data loss. APRA has emphasised the critical role of regular backups as one of the ‘Essential Eight’ cyber mitigation strategies endorsed by the Australian Signals Directorate.
“APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident,” it said.
The regulator has identified three main issues. Firstly, there’s a lack of proper separation between production and backup environments, which could lead to compromises in backups if the production environment is compromised. To address this, APRA suggests implementing access controls to prevent unauthorised modifications or deletions in both environments by a single account or person. Secondly, there’s insufficient testing to ensure the protection of backups from compromise. APRA recommends organisations to conduct thorough testing to validate the effectiveness of backups and to safeguard them from unauthorised access, modification, or alteration.
Lastly, there’s a deficiency in testing the capability to recover systems and data from backups. APRA advises companies to ensure adequate backup coverage to facilitate the recovery of critical business operations and to possess the technical capability for system and data recovery.
APRA expects regulated entities to assess their backup arrangements in light of these concerns. If any significant gaps are identified that could impact the entity’s risk profile or financial stability, APRA considers it a notable security control weakness, mandating notification under Paragraph 36 of CPS 234. This paragraph necessitates APRA-regulated entities to inform APRA within ten business days of identifying a material information security control weakness.
This caution from APRA comes after the recent UniSuper outage caused by Google Cloud inadvertently deleting the super fund’s private cloud. Despite having backups with another provider, it took over two weeks to fully restore UniSuper’s online services, and some data, primarily related to internal operations, was confirmed lost.
The first step in complying with APRA CPS 234 is to fully understand your current operations. Therefore running a risk assessment through the organisation is required to review existing business processes and identify weaknesses in existing controls.
Knowing your current processes is the foundation of risk analysis – until you have a big picture understanding of how work happens in your organisation, you can’t see areas of potential risk, vulnerability, and you won’t be able to identify areas that are in breach of APRA CPS 234 regulations.
This risk assessment will identify where improvements in the business continuity plan need to be made to ensure the organisation is able to respond to disruptions or breaches.
We use our Technology Capabilities Assessment to engage directly with you and your teams, to measure how well your existing ICT solutions, services and platforms are meeting your business objectives.
Once we fully understand your business dynamics we’ll provide recommendations on the solutions and long-term strategies you need to ensure your people and business enjoy the very best experiences from your IT platforms, services and applications.
In the wake of the increasing regularity of high-profile attacks on Australian organisations, including Optus, Medibank, and Medicare, the Australian Federal Government spent much of 2023 engaged in a consultation process to identify necessary updates to the Privacy Act.
We’d have to think hard to remember a time when IT leaders weren’t being asked to ‘do more with less’. It’s part of the job description to find innovative ways to extract ‘optimal value’ from existing or shrinking budgets.
