APRA urges banks and investment firms to review backup storage and deletion controls
The financial security regulator in Australia has cautioned banks and other regulated bodies to assess their IT backups and administrative permissions, apparently in response to the recent incident involving UniSuper.
The Australian Prudential Regulation Authority published an open letter to all organizations to “clarify expectations regarding cybersecurity and sufficiency of backups”.
The correspondence notably delineates three “typical concerns” identified by APRA in relation to backup systems in the industry.
Two of these concerns pertain to the location of backups and the individuals authorized to alter or remove them.
According to APRA, “there must be adequate isolation of backups from the main environment” to prevent a compromise of the production environment from affecting the backups.”
“This should involve access controls that prohibit any single account or individual from having the ability to alter or delete both production and backup data,” it added.
This advice seems to echo some aspects of the UniSuper event last month, where a Google private cloud setup supporting online services was inadvertently deleted due to an earlier provisioning mistake.
The superannuation fund had backups on both Google and non-Google cloud platforms; it was the latter that played a crucial role in the fund’s restoration, though the impact persisted for about a week.
APRA had indicated during the UniSuper incident that it had been monitoring the situation and recovery, although it chose to remain relatively silent throughout the ordeal.
APRA did not explicitly tie the issuance of the letter to the specific UniSuper issue.
In a succinct announcement, it stated “the correspondence is part of APRA’s continuous dedication to overseeing cyber resilience in the sector, as laid out in its latest policy and supervision priorities update” from January. Notably, the update does not explicitly address backup protocols.
About Author
