The Australian Prudential Regulation Authority (APRA) is worried that cyberattacks have exposed information security control weaknesses in the A$4.1 trillion (US$2.7 trillion) superannuation industry.
In a letter to super fund board chairs, APRA said recent ‘credential stuffing’ attacks had exposed persistent weaknesses in authentication practices across the industry.
“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” APRA Deputy Chair Margaret Cole wrote in the letter.
APRA said it expected all registrable superannuation entities (RSEs) to:
- complete a self-assessment of their information security controls
- ensure multi-factor authentication (MFA) or equivalent protections were in place for high-risk activities and privileged access, and
- notify APRA of any material control weaknesses or breaches.
APRA had noticed weaknesses that indicated a gap between its expectations as outlined in Prudential Standard CPS 234 Information Security and associated guidance and current industry practice.
Although the regulator recognised RSE licensees’ efforts to improve their cyber defences, given the evolving threats, it expected faster and more holistic implementation of critical controls and robust response capabilities.
“The superannuation industry is custodian of more than $4 trillion in member funds,” Cole wrote.
“The industry is systemically significant, and many millions of Australians rely upon it for the safekeeping of funds to support their retirement.
“The obligation of superannuation entities to ensure the safety and security of members’ retirement savings and member data is non-negotiable.”
At least A$500,000 was stolen in a major cyber-security breach involving thousands of Australian superannuation accounts in April in coordinated attacks on Australia’s biggest super fund AustralianSuper along with its second largest, Australian Retirement Trust, Hostplus, Rest and Insignia Financial (ASX: IFL).
