APRA reminds banks and funds to check backup storage and deletion controls to protect customer data

In the wake of a significant cloud incident at UniSuper, the Australian Prudential Regulation Authority (APRA) has issued a cautionary directive to financial institutions and other regulated entities to scrutinize their IT backup systems and administrative permissions. This advisory, although not explicitly linked to UniSuper's recent troubles, appears to be a response to the issues highlighted by the incident.

APRA's open letter to these entities aims to "clarify expectations on cyber security and the adequacy of backups." The letter outlines three common issues that APRA has observed with backup systems in the financial sector. Notably, two of these concerns pertain to the location of backups and the permissions granted to individuals who can modify or delete them.

Firstly, APRA emphasizes the importance of "sufficient isolation of backups from the production environment." This measure is crucial to ensure that a compromise in the production environment does not extend to the backups. Essentially, if an attack or error impacts the main operational systems, the backups should remain secure and unaffected. This principle of isolation is a fundamental aspect of a robust cybersecurity strategy, designed to provide a safety net that can restore operations swiftly after an incident.

Secondly, APRA advises that access controls should be stringent enough to prevent any single account or person from having the authority to modify or delete both production and backup data. This recommendation aims to mitigate the risk of accidental or malicious deletions that could jeopardize the integrity and availability of critical data. By distributing access rights and implementing rigorous checks, organizations can reduce the likelihood of human error or internal threats compromising their data security.

These recommendations from APRA appear to be informed by the specifics of the UniSuper incident. UniSuper, a major Australian superannuation fund, experienced a significant disruption when a Google private cloud environment, which supported its online services, was mistakenly deleted due to a provisioning error that had occurred a year earlier. This incident highlighted the vulnerabilities associated with cloud infrastructure and the importance of having well-structured backup and recovery systems.

During the UniSuper incident, the organization had backups stored on both Google and non-Google cloud infrastructure. The latter played a pivotal role in the recovery process, underscoring the value of diversified backup strategies. Despite this, the incident severely impacted UniSuper's operations for about a week, illustrating the profound effect that such disruptions can have on financial institutions and their customers.

Throughout the UniSuper incident, APRA maintained a low profile, closely observing the situation and the recovery efforts without making public statements. This approach allowed APRA to gather insights and identify critical areas of improvement that could benefit the broader financial sector. While the recent communication from APRA does not directly reference the UniSuper case, the timing and content of the letter suggest a connection.

In a brief statement accompanying the letter, APRA explained that "the communication is part of APRA's ongoing commitment to supervising cyber resilience across the industry," as outlined in its interim policy and supervision priorities update from January. This update, however, did not specifically mention backups, indicating that the focus on backup systems has gained prominence following recent events.

The directive from APRA serves as a critical reminder of the importance of robust backup systems and stringent access controls in safeguarding against cyber incidents. For financial institutions, ensuring the integrity and availability of data is paramount, given the sensitive nature of the information they handle and the potential consequences of data breaches or system failures.

Effective backup strategies should encompass multiple layers of protection, including regular data backups, offsite storage, and comprehensive disaster recovery plans. Organizations should conduct periodic reviews and tests of their backup systems to verify their effectiveness and ensure that they can be relied upon in the event of an incident. Additionally, access controls should be regularly audited and updated to reflect the evolving threat landscape and organizational changes.

The UniSuper incident also underscores the need for financial institutions to have a clear understanding of their cloud service providers' policies and procedures. As cloud services become increasingly integral to business operations, organizations must ensure that their providers adhere to stringent security standards and offer robust backup and recovery options. This due diligence is essential to prevent incidents like the one experienced by UniSuper, where a provisioning error led to significant operational disruptions.

Moreover, the incident highlights the importance of a coordinated response to cyber incidents. Financial institutions should have well-defined incident response plans that outline the roles and responsibilities of key personnel, the steps to be taken in the event of a breach or failure, and the communication protocols to be followed. These plans should be regularly reviewed and tested to ensure that they remain effective and can be executed smoothly when needed.

APRA's focus on cyber resilience and backup adequacy reflects a broader trend within the financial regulatory landscape. As cyber threats become more sophisticated and pervasive, regulators around the world are increasingly emphasizing the importance of robust cybersecurity practices and resilience measures. Financial institutions are being encouraged to adopt a proactive approach to cyber risk management, incorporating best practices and leveraging technological advancements to enhance their security posture.

In conclusion, APRA's recent directive to financial institutions serves as a timely reminder of the critical importance of effective backup systems and stringent access controls in safeguarding against cyber incidents. The recommendations outlined in the open letter are designed to address common vulnerabilities and ensure that organizations are better prepared to handle disruptions.

The UniSuper incident serves as a case study, highlighting the potential impact of cloud-related errors and the need for diversified and well-structured backup strategies. By heeding APRA's advice and implementing robust cybersecurity measures, financial institutions can enhance their resilience and protect their critical data assets in an increasingly complex and challenging threat environment.