On Tuesday 23 November 2021, APRA released commentary following the conclusion of its pilot initiatives, the tripartite audit and technology resilience data collection.
Following APRA’s feedback we first unpacked the expectation for Boards to review and challenge information reported by management on cyber resilience. APRA’s feedback also focuses on ensuring recovery from high-impact cyber attacks.
According to responses to the data collection, in the past 12 months, more than one third of respondents had not tested their backups for critical systems, and 22% of entities had not tested their cyber incident response plans.
Boards are encouraged to seek assurance on the entity’s likely ability to recover from a high-impact cyber attack.
Dealing with a cyber attack, we often turn our minds to an incident response. While relevant, those same response processes and decisions will quickly focus and rely on matters of baseline preparedness, and data backup is a critical component. Boards must recognise and understand that an effective incident response plan must manage the interplay between highly complex non-IT elements e.g. does the Board have a position on paying ransomware demands, and longstanding good practice IT operations e.g. resilient data backups.
For Boards, understanding which data is backed up, where, how often and when a restoration test was last undertaken may seem trivial, however it is these elements that are the cornerstone of understanding if your entity has a ‘good’ backup or not.
For Management, being able to answer the Board questions above is imperative. So too is being able to demonstrate through plans, playbooks and practices that data recovery scenarios are well considered, tested and resilient. Above all, management must be able to take confident and decisive action in the event of a high-impact cyber event.
Security is often thought of as needing complex solutions to opaque and complex risks which are understood by a few specialists. Where data and resilience is concerned nothing could be further from the truth – complete, functioning and tested backups have been a general IT risk management practice for decades. Boards should expect these processes to be well established, well-practiced and reliable.
