Letters

For action: Information Security Obligations and Critical Authentication Controls
Print

This image shows APRA's contact details: AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY - 1 Martin Place (Level 12), Sydney, NSW 2000 - GPO Box 9836, Sydney, NSW 2001. Telephone: 02 9210 3000, Website: www.apra.gov.au. Australian coat of arms - APRA

To: Board Chairs of All RSE Licensees

 

The superannuation industry is custodian of more than $4 trillion in member funds. The industry is systemically significant, and many millions of Australians rely upon it for the safekeeping of funds to support their retirement. The obligation of superannuation entities to ensure the safety and security of members’ retirement savings and member data is non-negotiable.

APRA expects RSE licensee boards to ensure their entities maintain cyber resilience that reflects their critical role in the system and responsibility to members. An inadequate control environment poses an unacceptable threat to the security of member funds and data.

Recent credential stuffing attacks have reinforced APRA’s concerns about persistent weaknesses in RSE licensees’ information security controls, particularly those related to authentication. Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect.

APRA is therefore writing to board chairs of RSE licensees today to remind them of their obligations under Prudential Standard CPS 234 Information Security (CPS 234) and to require certain actions to be taken to confirm compliance with those requirements.

Requirements under CPS 234

APRA reminds all RSE licensees of their binding obligations under Prudential Standard CPS 234 Information Security (CPS 234). Paragraph 21 of CPS 234 mandates that entities implement information security controls commensurate with the vulnerabilities, threats, criticality, and sensitivity of their information assets. 

The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations as outlined in the standard and associated guidance (including CPG 234 and previous guidance on Multi-Factor Authentication (MFA)), and current industry practice. While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents.

APRA therefore requires that each RSE licensee takes the following actions:

  1. Perform a self-assessment of the entity’s existing information security controls.
  • The assessment must evaluate the implementation and effectiveness of authentication controls. It must consider the evolving threat landscape and if stronger controls should be implemented. 
     
  • At minimum, APRA expects entities to require MFA or equivalent controls for all high-risk activities (such as changing member details, withdrawals, benefit payment / transfer / rollover requests, or investment switching) and for all administrative or privileged access. Solutions should consider accessibility for disadvantaged groups or those who may legitimately opt-out of certain digital channels.
  1. Where robust authentication controls (including requiring MFA or equivalent controls for high-risk activities and privileged access) have not been implemented or are deficient:
  • Submit to APRA a material control weakness notification in accordance with paragraph 35(a) of CPS 234 or provide a clear rationale on why the identified issue (i.e. deficiency in authentication controls) is not material. This rationale must detail how your overall control environment, including other compensating controls, appropriately manages the associated risk.
  • If a material control weakness is identified and notified to APRA, conduct a breach assessment to determine if this also constitutes a breach of CPS 234 and, if so, submit a formal breach notification to APRA.
  1. Advise of the RSE licensee’s Accountable Person(s) under the Financial Accountability Regime (FAR) with responsibilities related to CPS 234 compliance, and if more than one, specify what aspects of compliance each of their responsibilities cover.

APRA expects entities to complete these actions no later than 31 August 2025.

In addition to this letter, APRA is issuing separate communications to certain RSE licensees directly affected by the recent credential stuffing incidents. These entities are required to undertake a special purpose engagement, as opposed to the self-assessment in action 1 above, to assess the adequacy and effectiveness of their authentication controls in accordance with CPS 234. 

APRA remains firmly focused on this critical issue and will continue to pursue it through supervisory and other regulatory actions as necessary. APRA expects all trustees—regardless of size—to treat this matter with the urgency and priority it demands, in line with the risks they manage and their duty to protect member interests.

Should your entity have any questions regarding this letter, or the expectations outlined, please contact your APRA supervisor.

Yours sincerely

Margaret Cole
Deputy Chair

2025

Subscribe for updates

To receive media releases, publications, speeches and other industry-related information by email
Subscribe