Cyber threats continue to evolve at an unprecedented rate. This has significant impacts on the security and stability of Australia’s financial system. For example, you may have heard about recent cyber incidents such as the Latitude data breach. It impacted over 14 million customers of this personal loan and financial service provider. The well-known MediaBank ransomware attack, where 9.7 million records of the Australian health insurance giant’s customers were stolen, is another cautionary tale.
Breaches like these illustrate why data backup and resilience are so critical. It’s also why they’re a priority for the Australian Prudential Regulation Authority (APRA).
What is APRA?
The Australian Prudential Regulation Authority was established to protect Australia’s financial system. It plays a key role in raising awareness of cyber security threats, providing strategies for mitigating threats, and ensuring compliance. APRA currently supervises institutions that hold around $9 trillion in assets for Australian depositors, policyholders and fund members.
Due to the increasing frequency of cyber attacks, APRA 2024 guidelines prioritize operational and cyber resilience.
Overview of the Latest APRA Cyber Security Letter
In June 2024, APRA sent a cyber security letter to the 1,800 banks, credit unions, insurers, and superannuation funds it regulates. If you’re affected by APRA, it’s important to be aware of what they stated is a “heightened supervisory focus” on data backup.
Why data backup? For several reasons:
- Conducting regular backups is one of the Australian government’s “Essential Eight” cyber threat mitigation strategies. APRA believes that enhancing backup solutions and practices will minimize the likelihood and impact of cyber security incidents on the confidentiality, integrity, and availability of information assets, including those managed by third parties.
- APRA found that although many organizations use some type of backup, they’re not effectively implemented. As a result, they’re unlikely to be able to restore data in the event of a cybersecurity incident.
- APRA found three common data backup weaknesses and said financial institutions must take steps now to safeguard against them.
Highlights from APRA’s New Cyber Security Letter
3 Common Data Backup Problems
- Insufficient segregation between production and backup environments
This poses a significant risk because it can lead to simultaneous compromise during a cyber attack. Any malware or ransomware that infiltrates the production environment can easily spread to backup systems, rendering both environments inoperable and making data recovery impossible. Proper segregation ensures backups remain secure and accessible. It enhances both business continuity and data integrity. - Insufficient control, testing coverage, and rigor to ensure backups are protected from compromise
Organizations rely on backup data when production systems are compromised, whether from cybersecurity incidents, human error, or natural disasters. A recent report on Australian data breaches shows that 67% stemmed from malicious cyber acts such as phishing, stolen credentials, ransomware and hacking; 30% from human error; and 3% from system faults. If organizations cannot ensure backed-up data itself is continually safe, then they can’t protect against data loss. - Insufficient testing of ability to recover systems and backup data within tolerance levels
Organizations that don’t test properly are more likely to experience critical failures during an actual recovery event. Systems and data that cannot be restored within acceptable tolerance levels cause prolonged downtime, financial losses, and reputational damage.
Every IT organization needs to determine their appropriate recovery time objective (RTO) and Recovery Point Objective (RPO) tolerance. RTO is the goal you set for the maximum time it takes to restore operations. RPO your goal for maximum acceptable data loss. Once these are agreed-upon, it’s critical to test to make sure you can meet them.
APRA Expectations for Data Backup Security
APRA expects all regulated entities to review their backup against the common issues they identified. If you find gaps that could materially impact your organization’s risk profile or financial soundness, you must notify APRA.
If APRA also deems you have significant vulnerabilities, they may take several actions, including:
- Intensifying supervision
- Requiring a root cause analysis
- Requesting remediation plans
Complying with APRA Requirements for Data Backup Security
Follow these tips for ensuring compliance with APRA’s latest data backup requirements.
Isolate Backups from Your Production Environment
With so many organizations relying on SaaS applications, there’s a tendency to leave backup in the hands of the SaaS app vendors. This isn’t a good isolation strategy. For instance, some Salesforce customers use Salesforce’s backup capabilities. But if Salesforce is compromised, so is your backup.
A better, safer approach is to backup all your data to your own AWS, GCP, or Microsoft Azure instance. Not only does this separate it from the production environment, it enables you to maintain a Digital Chain of Custody for backup. With GRAX’s Salesforce data backup, you can monitor each piece of data throughout every stage of replication. You ensure all of your historical and real-time data is safeguarded since it doesn’t leave your organization’s possession.
For instance, one of Australia’s public agencies uses GRAX to fully backup, manage, and own their Salesforce data in their own AWS infrastructure. This also helps meet APRA’s access control guidelines for preventing any single account or person to have permission to modify or delete both production and backup.
In addition to protecting their backup data against cyber threats, this agency also uses GRAX for archival and retention planning – and takes advantage of GRAX’s Right to be Forgotten functionality. This helps them meet Australia Privacy Principles.
See how GRAX can help you
Check out our demo to discover how GRAX can help you support your compliance needs.
Implement a Reliable Backup Strategy and Solution
Make sure to include all relevant stakeholders and consider all business implications when creating your backup strategy and determining RTO and RPO.
You should also evaluate the types of backups that may be most appropriate based on cost and storage considerations:
- Full Backup
A complete copy of all data, this provides the most comprehensive protection but requires the most storage space. - Incremental Backup
Only backs up data that has changed since the last backup. This saves storage space and time but requires multiple backups to restore fully. - Differential Backup
This backs up data changed since the last full backup, striking a balance between full and incremental backups.
Finally, carefully evaluate your organization’s data backup and recovery solutions to ensure they can help you meet APRA requirements.
Implement Testing to Validate Backups are Complete and Protected
APRA’s goal is to ensure backup data is protected against unauthorized access, modification or alteration. Data backup best practices for testing include:
- Regular Testing
Conduct routine tests by restoring files from backups to verify data integrity and availability. - Data Integrity Checks
Implement automated tools to continuously verify backup consistency and detect any corruption or missing data. Run continuous backups to ensure data is accurate, up-to-date, and complete. - Access Control Audits
Regularly review and update access controls to ensure only authorized personnel can access backup systems. - Encryption Verification
Ensure backups are encrypted both in transit and at rest, and periodically validate encryption effectiveness. - Compliance and Policy Reviews
Regularly review backup policies and procedures to align with industry standards and APRA requirements. - Monitoring and Alerts
Implement systems that generate alerts for any backup failures or suspicious activities.
Validate Ability to Quickly Recover Critical Business Data and Operations
Make sure to perform tests focused on recovering systems and data within your tolerance levels.
- Simulation Drills
Schedule and perform data recovery exercises that simulate different types of cyber incidents. This helps you evaluate the effectiveness of the recovery process and identify any weaknesses. - Full-System Restores
Regularly perform full-system restores to a test environment to verify that all data and applications can be recovered accurately and completely. - Incremental Recovery Tests
Periodically test incremental restores to ensure that recent data changes can be accurately recovered, meeting your RPO requirements. - Time-Based Recovery Drills
Measure the time taken to restore data during tests and compare it against your RTO goals. Adjust processes as needed to ensure timely recovery. - Validation of Backup Integrity
Perform data integrity checks during the recovery process to ensure that the restored data is complete and uncorrupted. - Review and Update Recovery Plans
Regularly review and update your disaster recovery plan to address new risks and incorporate lessons learned from tests.
Role of Senior Management in APRA Compliance
Senior management at financial institutions play a crucial role in ensuring compliance with guidelines and improving overall cybersecurity posture. APRA expects them to establish and maintain a comprehensive security policy framework, manage cyber risk, implement strong security controls, and define clear accountability for security roles and responsibilities in their organization.
Management teams can further enhance APRA data backup compliance by proactively allocating resources, leading by example, and monitoring APRA new requirements.
Allocating Resources
Leaders should ensure adequate funding and resources for APRA initiatives. Make sure to include regular employee training in your budget. Employees must know how to recognize and respond to evolving cyber threats and execute data protection measures.
Leading by Example
By showcasing a commitment to security from the top down, you foster a culture of security awareness and drive stronger cybersecurity practices.
APRA Data Backup Compliance Monitoring
APRA is continuously reviewing and updating their requirements and guidelines. Make sure to keep abreast by reviewing all update letters and monitoring your organization’s ability to meet the latest guidelines. A detailed checklist can help you track progress and ensure adherence to APRA’s requirements.
Preparing for Cyber Threats: APRA’s Guidance
While data backup is the focus of APRA’s June 2024 update, IT and business leaders must also implement other critical tools and cyber attack strategies for minimizing the impact of cyber threats.
Importance of Continuous Monitoring and Real-Time Threat Detection
Continuous monitoring and real-time threat detection are crucial for early identification and mitigation. Best practice is to use these tools:
- Advanced monitoring software for gaining real-time insights into network activity
- Threat Intelligence feeds to stay informed about emerging threats
- Automated Response Systems for instantly acting upon detected threats
Regular Audits for Improving Security Posture
Regular audits and assessments are vital for maintaining compliance and improving security. Best practices recommended by APRA include:
- Independent Audits: Using third-parties can help identify and address new vulnerabilities
- Continuous Improvement: Use audit findings to enhance security measures and ensure ongoing compliance.
Urgency for APRA Data Backup
If you haven’t started assessing your data backup capabilities, now is the time to begin. Make sure you’re separating your backup and production environments. Test your backup and recovery processes, and make sure your backup tools can help you meet APRA’s new requirements. By adhering to APRA’s guidelines and continuously enhancing your cyber security practices, you’ll help stabilize your own business operations and the entire Australia financial system.
Improve your security posture today.
Speak with GRAX experts to see how you can meet APRA’s new requirements.