APRA Deputy Chair Margaret Cole's remarks to the Conexus Chair Forum

Tales of the Unexpected
 

Good afternoon and thank you again to Conexus for the opportunity to represent APRA for the fifth and final time at this event. It is fitting that I am joined once more by Simone Constant from ASIC. Throughout my time at APRA, I have sought closer working relationships between our two agencies to drive better outcomes for superannuation members.

But with another five months at APRA to go, I’m not here today to make a farewell speech. I’d like to direct my remarks to the themes of risk management, resilience and governance.

Preparing for today, I was reminded of a popular British television series from the 1980s called Tales of the Unexpected. Each episode featured a story with a surprise plot twist. As a viewer, you had no idea how an episode would end but given the fact you were watching a show called Tales of the Unexpected, you were prepared for anything. You expected the unexpected.

When you look back at events in superannuation over the past few years, “expect the unexpected” would be an appropriate maxim for the industry.

Too many trustees have been caught off guard by situations they did not expect or had not taken steps to prevent. In many cases, these were situations that might not have been anticipated but were not entirely unforeseeable either.

Last year’s credential stuffing attacks took the impacted funds and members by surprise. But the attacks occurred six years after APRA had introduced baseline information security obligations for APRA-regulated entities, and followed repeated warnings from APRA, ASIC and others that trustees needed to strengthen cyber controls. The crystallised loss was contained, but it was a serious wake-up call.

Unplanned system outages experienced by a number of super funds in recent years were the cause of significant disruptions to members’ ability to access basic fund services, such as pension payments and rollovers. Again, these were not unimaginable scenarios. Large-scale outages have occurred all too often in other service sectors similarly reliant on technology and third-party providers.

When things go wrong there are serious consequences, for trustees, for funds but most importantly for fund members.

At a time of significant geopolitical uncertainty, the industry’s growing dependency on technology and third-party providers, and the rising threat of malicious actors, the risk of material unexpected events in 2026 cannot be zero.

Your members won’t expect you to know if or when the unexpected might happen, but they will expect you to be prepared when it does. And so will APRA.

Preparing for the unexpected

Australia has a strong and resilient superannuation system which is vital to protecting retirement savings and the economic wellbeing of the nation.

As trustees you play an important role in keeping the system safe and strong through your stewardship of member assets and your duty to act in the best interests of your members.

That means acting in members’ best interests in everything you do: the strategies you set, how you invest and spend members’ monies, how you manage risks, and how you support members throughout their working and retired lives.

Robust trustee board governance is critical to your fund’s resilience to withstand adverse events and to keep members safe. In this way good governance underpins trust in the system.

Unfortunately, we continue to see instances of weak governance from trustees.

In 2026, APRA will continue to focus resolutely on lifting trustee standards across a range of areas including operational risk management, cyber controls and investment governance. As major ongoing themes, this will not be unexpected.

Setting expectations

Operational risk management

As you know, APRA’s prudential standard CPS 230 came into effect last July to ensure all APRA-regulated entities are resilient to operational risks and disruptions. APRA is currently engaging with entities to ensure compliance with the standard.

In many respects, CPS 230 serves as a “blueprint” to help you expect, prepare and manage the “unexpected”.

CPS 230 requires entities to manage their operational risks, maintain critical operations through disruptions and manage the risks arising from service providers.

The implementation of the comprehensive levels of operational resilience required under CPS 230 represented a more significant shift in approach for superannuation funds than for banks and insurers.

The standard’s strengthened requirements for identifying and managing risks related to material service providers are highly applicable in super, given the industry’s widespread reliance on external providers for critical operations such as administration services and investment management.

CPS 230 ensures that you understand how your service providers operate in relation to your critical operations, the suppliers they use, the risks they face and how they mitigate those risks. The more you know about your service provider, the less “in the dark” you’ll feel if something breaks and, hopefully, the more quickly you’ll be able to act to minimise the impact on your members.

And Boards are expected to understand the material risks and vulnerabilities of critical operations and to ensure those risks are being managed appropriately by senior management.

Cyber security

As I have already touched on, a key operational risk is cyber risk.

Last year’s cyberattacks exposed persistent weaknesses in authentication practices across the industry. With cyber and fraud incidents on the rise, it is frustrating that some trustees have dragged their feet to comply with APRA’s information security standard CPS234 which is not the ceiling, it’s the floor.

After the attacks, we wrote to all of you to reinforce our expectations around information security and the implementation of robust authentication controls.

We also set out our expectation for funds to improve their information sharing arrangements with peers and regulators to help the rest of the industry to detect and anticipate threats early and reduce the risk of multiple attacks.

In the case of the funds directly impacted by the attacks, we continue to maintain heightened supervision to ensure required actions to strengthen cyber controls are fully implemented.

It is critical that trustees – and the industry as a whole – remain highly alert to the evolving cyber threat.

Cyber security isn’t just a technology issue; it’s a governance and risk issue. Protecting members’ data and assets is fundamental to trust in the system.

And as I flagged at the Conexus Retirement Conference, trustees should be especially vigilant about the cyber risk to assets sitting in retirement phase products. These products provide greater avenues for funds to be withdrawn from the superannuation system.

Investment governance

Operational risk events such as system outages and cyber incidents are what might immediately spring to mind when you think about expecting the unexpected. But investment-related risk events can also have serious consequences.

An inadequate response by trustees to market disruptions and liquidity events could have a significant adverse impact on the financial system and member outcomes.

Last year’s collapse of managed investment schemes First Guardian and Shield came as a shock to the industry and to the many members affected. The collapses exposed deficiencies across the system and caused financial harm to members who had transferred retirement savings into the products.

While APRA does not regulate managed investment schemes, our recent thematic review of platform trustees identified examples of weak practices in the investment governance of investment options offered on platforms, including investment option onboarding and monitoring.

This has since led to APRA accepting a court enforceable undertaking from Netwealth and imposing licence conditions on Diversa Trustees and Equity Trustees to address investment governance-related concerns.

APRA’s focus on lifting standards in investment governance pre-dates last year’s events.

The strengthened investment governance standard, SPS 530, took effect in 2023, after two years of consultation and reforms.

And just over a year ago, APRA published its findings from a thematic review into valuation and liquidity risk governance. The review found that 12 of the 23 in-scope trustees required material improvement in either or both their valuation governance or liquidity risk frameworks.

Shortcomings in trustee governance of investment valuations, liquidity and platforms will continue to be a focus for APRA. Platform trustees, in particular, can expect continued heightened scrutiny this year. I am sure that is not unexpected.

The imposition of licence conditions is a critical APRA tool. Licence conditions drive immediate attention and action to addressing deficiencies, typically without an extended period of court litigation. In my time at APRA, we have become more muscular in our use of this tool. You can expect this to continue.

Conclusion

Your fund members should be able to expect that their retirement savings are in safe hands, that their personal data is protected, and that their account-based pension payments will come through on time. That if some unexpected event were to beset their fund, that you would not be caught unawares or unprepared.

And that you, as trustee, have robust governance, risk management and processes in place to support the best financial interests of your members, come what may.

None of us can see into the future. But unlike the Tales of the Unexpected viewers, you have the opportunity to do more than simply brace yourself for the twist in the tale.

After all, as Lady Chiltern in Oscar Wilde’s An Ideal Husband puts it: “To expect the unexpected shows a thoroughly modern intellect.” 

It is now my pleasure to pass over to Simone.

Thank you.

Subscribe for updates

To receive media releases, publications, speeches and other industry-related information by email
Subscribe