APRA presses banks, funds to check backup storage and deletion controls – Finance – Cloud – Storage


Australia’s financial safety regulator has warned banks and other regulated entities to check their IT backups and admin permissions, in what appears to be a cloaked response to the UniSuper incident last month.



The Australian Prudential Regulation Authority wrote an open letter to all entities to “clarify expectations on cyber security and adequacy of backups”.

The letter notably describes three “common issues” that APRA suggested it had observed with backup systems in the sector.

Two of the three concerns related to where the backups are housed and who – if anyone – can modify or delete them.

APRA wrote that “sufficient isolation of backups from the production environment” must exist “so that a compromise of the production environment does not compromise backups.” 

“This should include access controls preventing any single account or person to have permission to modify or delete both production and backup,” it said.

That advice appears to reflect some of the characteristics of the UniSuper incident last month, where a Google private cloud environment powering online services was mistakenly deleted due to a provisioning error a year earlier.

The super fund had backups on both Google and non-Google cloud infrastructure; it’s the latter that’s been credited with aiding the fund’s recovery, although it was still heavily impacted for a week.

APRA had indicated during the UniSuper incident that it had been observing the occurrence and recovery, though it publicly stayed relatively quiet throughout that process.

APRA did not link the sending of the letter to the specific UniSuper incident.

In a brief statement, it said “the communication is part of APRA’s ongoing commitment to supervising cyber resilience across industry, as outlined in its interim policy and supervision priorities update” from January. The update makes no mention of backups, however.



Source link