APP 11.2 requires APP entities to take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
This past weekend's WannaCry ransomware attack reportedly infected over 200,000 computers on 6 continents, and encrypted all the files on those machines. If a user fails to pay the $300 ransom within 3 days, the price doubles to $600; then after a week, the user’s files are at risk of being deleted entirely.
Unlike the ways other malware can spread, WannaCry did not infect these machines because employees clicked on a malicious link in email. Instead, WannaCry infected their computers simply because they were running on unpatched versions of the Windows operating system.
Regular patching of your organisation's operating systems, applications and websites is an important way to protect against the risks of malware - and is also one of the (but not the only) "reasonable steps" that APP entities should take to comply with their obligations under APP 11.2.