| ๐ผ 44 APRA-regulated entities could consider low likelihood scenarios, which could result in an extreme impact to the regulated entity (i.e. plausible worst case). Extreme impacts can be financial or non-financial (e.g. reputational or regulatory), potentially threatening the ongoing ability of the APRA-regulated entity to meet its obligations. | 3 | | | |
| ย ย ย ย ๐ผ 44a malicious acts by an insider with highly-privileged access, potentially involving collusion with internal or external parties; | | 1 | 1 | |
| ย ย ย ย ๐ผ 44b deletion or corruption of both production and backup data, either through malicious intent, user error or system malfunction; | | 6 | 7 | |
| ย ย ย ย ๐ผ 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets. | | 8 | 10 | |
| ๐ผ 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions. | | 34 | 36 | |