The Australian Prudential Regulation Authority (APRA) has reinforced its expectations of superannuation funds around information security and the implementation of robust authentication controls.
In a letter sent to all RSE (Registrable Superannuation Entity) licensee board chairs, the regulator said it expects all RSE licensees to complete a self-assessment of their information security controls, ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access, and notify APRA of any material control weaknesses or breaches.
It gave a deadline of 31 August 2025 for those actions to be completed.
The move follows recent credential stuffing attacks that reinforced APRA’s concerns about persistent weaknesses in RSE licensees’ information security controls, particularly those related to authentication.
“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” the letter said.
APRA used the letter to remind all licensees of their obligations under Prudential Standard CPS 234 Information Security (CPS 234), which mandates that entities implement information security controls commensurate with the vulnerabilities, threats, criticality, and sensitivity of their information assets.
"While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents,” the regulator said.
APRA also issued separate communications to certain RSE licensees who were directly affected by the recent credential stuffing incidents, laying out requirements to undertake a special purpose engagement, as opposed to the self-assessment, to assess the adequacy and effectiveness of their authentication controls in accordance with CPS 234.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
