Skip to main content
Media Releases

APRA reinforces expectations on authentication controls in superannuation sector

The Australian Prudential Regulation Authority (APRA) has written to all RSE (Registrable Superannuation Entity) licensee board chairs, reinforcing expectations around information security and the implementation of robust authentication controls.

This action follows recent credential stuffing attacks that exposed persistent weaknesses in authentication practices across the superannuation industry. APRA has reminded entities of their obligations under Prudential Standard CPS 234 Information Security and outlined specific actions to assess and strengthen authentication controls.

APRA expects all RSE licensees to complete a self-assessment of their information security controls, ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access, and notify APRA of any material control weaknesses or breaches. Entities must also identify their Accountable Person(s) under the Financial Accountability Regime (FAR) responsible for CPS 234 compliance. 

The letter is available on the APRA website at: For action: Information Security Obligations and Critical Authentication Controls.

The Australian Prudential Regulation Authority (APRA) is the prudential regulator of the financial services industry. It oversees banks, mutuals, general insurance and reinsurance companies, life insurance, private health insurers, friendly societies, and most members of the superannuation industry. APRA currently supervises institutions holding around $9 trillion in assets for Australian depositors, policyholders and superannuation fund members.