Super funds falling short on data back-up says APRA

Superannuation funds have been warned to get their houses in order around weaknesses in their data backups in the context of cyber resilience.

The Australian Prudential Regulation Authority (APRA) has specifically identified data backup as being a weakness for superannuation funds.

In a letter sent to superannuation fund trustees this week, APRA said it had “observed weakness in the use of data backups to protect an entity against data loss” noting that the use of backups is “one of the Essential Eight” prioritised cyber mitigation strategies.

“APRA notes through recent supervisory activities that although many entities have backup practices in place, APRA has observed common problems that can limit the usefulness of these backups in restoring systems during an incident,” it said.

The regulator then outlined the deficiencies it had observed as:

• Insufficient segregation between production and backup environments;
• Insufficient segregation between production and backup environments;
• Insufficient segregation between production and backup environments

“APRA expects regulated entities to review their backup arrangements against these common issues. If the review identifies gaps that could materially impact the entity’s risk profile or financial soundness, APRA considers this a material security control weakness notifiable under paragraph 36 of CPS 234,” the regulator said.

“Given the fast-moving nature of cyber threats, APRA will continue to share information on any common areas of weakness in the future.”