APRA releases notes on Superannuation Industry Roundtable from July 2025 following cyber incidents

The Australian Prudential Regulation Authority (APRA) hosted a Superannuation Industry Roundtable focussed on the recent cyber incidents impacting several superannuation entities. APRA outlined its observations and expectations on cyber resilience and the uplift required to protect superannuation members and the broader system. The roundtable included commentary from key government agencies and reflections from several impacted superannuation entities. 

Introduction
 

Superannuation is a systemically significant and complex industry that plays a critical role in the long-term financial wellbeing of Australia’s economy and its people. With over $4 trillion of assets under its stewardship, the industry has the enormous responsibility and privilege of growing and safeguarding the retirement savings of millions of Australians. These assets are becoming increasingly attractive to fraudsters and cyber criminals.

APRA has highlighted the need to uplift security, as soon as weaknesses are exposed or identified. This involves assessing whether current capabilities are adequate and to continually test preparedness and response.

Trust in the system remains a key consideration in decision making. In this context, cooperation and coordination across the sector will be our greatest defence, rather than treating entities in isolation. 

While the overall impact of the recent cyber incidents (March/April 2025) which targeted individual Superannuation members was contained, it was recognised as an indication of the system’s appeal to threat actors. The timing of the incident, which coincided with market volatility, was also considered relevant to the overall impact.

Expectations

APRA reminded participants of expectations on authentication controls as recently communicated to the industry:

APRA reinforces expectations on authentication controls in superannuation sector

Information Security Obligations and Critical Authentication Controls

APRA provided several observations regarding incident response across the superannuation industry. Entities that responded effectively demonstrated a clear understanding of their control environments, particularly around payments processes, which enabled swift action to interrupt transactions and recover funds. The industry needs to improve awareness of incident impact on public perception and member trust, as well as improved coordination for timely responses. Entities with clear accountability for member protection consistently outperformed others, highlighting the value of a proactive cyber security approach.

Update by Lieutenant General Michelle McGuinness, CSC (National Cyber Security Coordinator)

LTGEN General McGuinness provided an overview of the evolving cyber threat landscape in Australia and highlighted that threat actors are increasingly targeting Australia, and once successful, they often replicate their methods across entire sectors. A key tension remains between competition and collaboration in the cyber security space, which can hinder collective progress. LTGEN McGuinness emphasised the critical importance of rapid information sharing during incidents to improve responsiveness and resilience across industries.

The role of the National Office of Cyber Security (NOCS) in supporting organisations during cyber incidents was highlighted. The NOCS has been progressively releasing a series of industry sector playbooks. Participants were also referred to the Financial Sector playbook, which is publicly available.

Several key elements were identified as essential to effective incident response. Clear and timely communications are vital, and having a well-developed and regularly exercised incident response plan significantly improves preparedness. Organisations must understand who their stakeholders are - including members, regulators and government agencies - and how to engage them during a crisis. Knowing what data is stored and where it resides is also crucial for managing risk and response effectively. Those who have rehearsed their plans are consistently better equipped to handle real-world incidents.

Participants were reminded that the aftermath of a cyber incident often involves a prolonged recovery phase. This can include remediation efforts, internal and external reviews, legal proceedings, and regulatory actions. LTGEN McGuinness expressed deep appreciation for organisations willing to share their experiences and lessons learned, as these insights help others prepare and improve their own responses. As cyber threats continue to evolve, it is essential to treat risks in one sector as potential risks to all, reinforcing the need for adaptive and collaborative controls across the board.

Learnings and Reflections

Several entities provided an overview of learnings and reflections from their experience during the incident:

Member communications: Low overall engagement from members made it more difficult to communicate effectively during the incident. To avoid mixed messaging, it’s essential that the communications approach is clearly understood by all stakeholders. There is an opportunity to enhance the crisis communication plan by clearly defining roles and responsibilities. When complete data isn’t available, there needs to be a balance between providing general updates and sharing specifics. Members need information that helps them stay alert to potential risks. Additionally, outbound calls proved challenging due to growing community distrust in answering calls from unknown numbers.

Media management: Entities reflected on the complexities of managing media communications, highlighting the need for proactive engagement and consistent messaging to maintain trust. It was recognised early that the incident would attract significant media attention. While member communication was prioritised, care was taken not to cause panic or undue concern. Monitoring social media emerged as the fastest way to identify emerging media issues. Media messaging should be clear and direct, especially regarding how and where members can contact their fund. Understanding the most impacted member groups was also identified as a key priority.

Incident response experience: Entities shared their experiences in managing the incident, noting both successes and challenges. Member account safety was prioritised, and proactive communication with affected members led to a generally positive sentiment. In the early stages, CISO networks were heavily relied upon for information sharing, suggesting a potential opportunity to establish more formal and proactive arrangements across funds to improve responsiveness. Communicating with a large number of members quickly, without overwhelming call centres, was a significant challenge. However, the industry gained valuable insights, particularly in communications, that could be applied in future incidents.

Reliance on third party providers/administrators: The incident highlighted the benefits of a collective approach across the supply chain, including administrators and banks involved in the payment chain. Strong partner relationships laid the foundation for a collaborative and rapid response across areas such as Risk Advisory, Security Operations, Incident Response, Digital Forensics, Contact Centre, and Administration Services. Third-party commitment was evident, with many going above and beyond to achieve the best outcomes for members. The combined expertise across the super ecosystem brought significant skills and knowledge to the table. The Service Provider Alert service added an extra layer of protection to existing cybersecurity controls. Regular and transparent information sharing ensured alignment on priorities, and shared digital workspaces enabled seamless, real-time interaction between partners.

Australian Signals Directorate (ASD)

ASD provided an update of trends in the broader Australian financial sector which continues to be a target for state-based sponsor activities, not just profitable gains. Attacks now target both lower and higher income countries.

The following broad trends were noted regarding incidents in the Australian financial sector:

• 20% credential stuffing caused by brute-force stuffing, using compromised credentials of customers/members and administrators.
• 35% data breaches or ransomware attacks.
• 15% Distributed Denial-of-Service (DDoS) activities.
• 30% vulnerability exploits, due to weaknesses such as failure to patch etc.

Questions submitted to roundtable

In the event of a cyber incident affecting multiple stakeholders - including funds within the superannuation ecosystem - who will be responsible for coordinating the industry response? 

In the first instance RSEs and operators need to respond and address immediate threat/s during an incident. While it was acknowledged that it is challenging to identify responsibility for an overall response today’s roundtable reflects the need and an opportunity for the industry to develop this capability.

What is the Council of Financial Regulators (CFR) position on the future of the Cyber Operational Intelligence-led Exercises (CORIE) program and are any changes expected?

No changes are expected, however any proposed changes would be notified to industry in advance.

What are your expectations around the use of Multi Factor Authentication (MFA)?

Participants were referred to the expectations communicated by APRA at the start of the roundtable and the recent letters to industry on the subject.

Attendees

APRA

Externals