The Australian Prudential Regulation Authority has urged insurers to improve data back-up procedures after it observed common problems that can hamper restoration of hacked operations.

It warns over insufficient segregation between production and back-up environments, lack of control testing and rigour to ensure back-ups are protected from compromise, and insufficient testing of capability to recover systems and data.

Insurers are urged to review their back-up arrangements and address any gaps.

“APRA-regulated entities must stay vigilant and proactively implement strategies to mitigate the risk and impact of potential cyberattacks,” GM Operational Resilience Alison Bliss said.

“APRA expects regulated entities to review their back-up arrangements against these common issues. If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness.”

Insurers are advised to have access controls that prevent any single account or person modifying or deleting both production and back-up.

They should also ensure that testing programs show back-ups are effective and protected from unauthorised access, modification or alteration, and that back-up coverage is sufficient to enable the recovery of critical business operations, and the technical capability can recover systems and data. 

See the letter here.