APRA presses banks, funds to check backup storage and deletion controls

Australia’s financial safety regulator has warned banks and other regulated entities to check their IT backups and admin permissions, in what appears to be a cloaked response to the UniSuper incident last month.

The Australian Prudential Regulation Authority wrote an open letter to all entities to “clarify expectations on cyber security and adequacy of backups".

The letter notably describes three “common issues” that APRA suggested it had observed with backup systems in the sector.

Two of the three concerns related to where the backups are housed and who - if anyone - can modify or delete them.

APRA wrote that “sufficient isolation of backups from the production environment” must exist “so that a compromise of the production environment does not compromise backups." 

“This should include access controls preventing any single account or person to have permission to modify or delete both production and backup,” it said.

That advice appears to reflect some of the characteristics of the UniSuper incident last month, where a Google private cloud environment powering online services was mistakenly deleted due to a provisioning error a year earlier.

The super fund had backups on both Google and non-Google cloud infrastructure; both are said to have aided the fund’s recovery, although online services were still heavily impacted for a week.

APRA had indicated during the UniSuper incident that it had been observing the occurrence and recovery, though it publicly stayed relatively quiet throughout that process.

APRA did not link the sending of the letter to the specific UniSuper incident.

In a brief statement, it said “the communication is part of APRA's ongoing commitment to supervising cyber resilience across industry, as outlined in its interim policy and supervision priorities update" from January. The update makes no mention of backups, however.

Update, 17/6: The article originally emphasized the role of third-party backups in the restoration, referencing published information that "UniSuper had backups in place with an additional service provider. These backups have minimised data loss, and significantly improved the ability of UniSuper and Google Cloud to complete the restoration." Both organisations have since sought to emphasize the role that backups within Google Cloud also played in recovery.