The Australian Prudential Regulation Authority (APRA) has recently issued a critical advisory urging Banking, financial services and insurance (BFSI) to enhance their data backup procedures. This call-to-action stems from observed vulnerabilities that could significantly hinder the restoration of operations in the event of a cyberattack. Specifically, APRA has highlighted three key areas of concern:
- Insufficient Segregation Between Production and Backup Environments: Many insurers lack adequate separation between their production and backup systems, increasing the risk that a compromise in one could directly affect the other.
- Lack of Rigorous Control Testing: APRA observed that insurers are not sufficiently testing their backup controls to ensure that backups are genuinely protected from compromise. Without rigorous testing, these systems may provide a false sense of security.
- Inadequate Recovery Capability Testing: There is a critical gap in testing whether the backups can effectively recover both systems and data, which is essential for maintaining continuity in critical business operations.
APRA’s General Manager of Operational Resilience, Alison Bliss, emphasized the necessity for insurers to proactively review and address these gaps. Failure to do so could expose them to significant risks, potentially undermining their financial stability. APRA considers any identified weaknesses that could impact an entity’s risk profile or financial soundness as material security control weaknesses.
To mitigate these risks, APRA advises BFSI to implement robust access controls that prevent any single account or individual from having the ability to modify or delete both production and backup data. Moreover, insurers should ensure that their backup systems are not only effective and secure but also thoroughly tested to confirm their capability to recover critical business operations in the event of a disruption.
This directive underscores the importance of a resilient backup strategy in the broader context of cyber resilience, particularly for entities regulated by APRA. BFSI, and indeed all APRA-regulated entities, are being called upon to stay vigilant and to actively strengthen their cybersecurity posture in response to this guidance.