APRA evokes insurers to backup data against the risk of loss

The authority emphasised compliance with CPS 234.

The Australian Prudential Regulation Authority (APRA) reminds insurers to fortify their cyber resilience strategies, especially with the use of data backups to protect an entity against data loss.

Cyber resilience is a key focus of APRA’s supervision priorities. In its Interim Policy and Supervision Priorities update, APRA emphasises maintaining a heightened supervisory focus on cyber resilience, ensuring compliance with Prudential Standard CPS 234 Information Security (CPS 234). 

Entities are encouraged to periodically self-assess against the practices in Prudential Practice Guide CPG 234 Information Security (CPG 234).

Despite many entities having backup practices, common issues can limit the effectiveness of these backups in restoring systems during an incident. 

APRA expects entities to review their backup arrangements against these common issues. If gaps that could materially impact the entity’s risk profile or financial soundness are identified, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234.

Given the fast-moving nature of cyber threats, APRA will continue to share information on any common areas of weakness in the future.