In a strongly worded letter issued Tuesday to board chairs of all large superannuation funds, the Australian Prudential Regulation Authority (APRA) said it expects faster, more holistic implementation of robust cyber defences, including multi-factor authentication or equivalent controls.
“The obligation of superannuation entities to ensure the safety and security of members’ retirement savings and member data is non-negotiable,” wrote APRA deputy chair Margaret Cole.
The $4.2 trillion super sector is “systemically significant”, APRA said, and vulnerabilities in authentication, particularly around access to member data and high-risk transactions, have become an unacceptable threat to both members and system integrity.
“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents,” the letter said.
In response, APRA has ordered all super funds to complete a self-assessment of their current information security controls by 31 August 2025.
This includes mandatory evaluation of authentication systems, especially multi-factor authentication, for all high-risk activities and privileged access.
Entities that identify weaknesses must either notify APRA under breach-reporting obligations or justify why the gaps are not material. The letter also calls for identification of the accountable person(s) under the Financial Accountability Regime responsible for CPS 234 compliance.
Entities directly impacted by the credential stuffing incidents – including Rest, Hostplus, AustralianSuper, Insignia’s Expand platform, Australian Retirement Trust, Cbus Super and Media Super – must conduct an externally engaged special review of their controls to assess the adequacy and effectiveness of their authentication controls in accordance with CPS 234.
APRA’s action follows growing concerns about the pace of cyber security reform in super and underscores the regulator’s commitment to embedding stronger cyber resilience, regardless of fund size.
“APRA remains firmly focused on this critical issue and will continue to pursue it through supervisory and other regulatory actions as necessary,” Cole said.
Reacting to Cole’s letter, the Association of Superannuation Funds of Australia (ASFA) labelled APRA’s expectations “fair and reasonable” in a statement on Tuesday.
“ASFA has taken a leading role in ensuring the sector is meeting them and is well prepared for future cyber incidents,” ASFA CEO Mary Delahunty said.
She revealed that the association has commenced work on establishing sector-wide minimum fraud controls and vowed to ensure that multi-factor authentication requirements for the sector are in place by 31 August.
The association, Delahunty added, is also developing a superannuation cyber security coordination and collaboration framework in consultation with the sector and relevant stakeholders.
In April, cyber security firm Proofpoint released research revealing that 58 per cent of super funds are falling behind on the most basic security measures.
“Australian superannuation funds hold the financial futures of millions of everyday Australians, yet our research reveals 58 per cent are failing to implement basic email security protocols,” Steve Moros, senior director, advanced technology group, Asia-Pacific and Japan at Proofpoint, said at the time.
“This security gap creates a dangerous opening for cyber criminals who specifically target these data-rich organisations,” he added.
Proofpoint conducted Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis of more than 80 Australian funds and found that 8 per cent don’t have any DMARC protection at all, while only 42 per cent have the highest level of DMARC protection.
DMARC has three levels of protection – monitor, quarantine and reject, the latter of which is the highest level of protection. The protocol is designed to prevent domain names from being misused by cyber criminals.
According to the research, 23 per cent of Australian funds use the quarantine level of protection and 27 per cent use the monitor level.
“The recent breach resulting in over $500,000 in losses demonstrates these threats aren’t theoretical and, in fact, regular occurrences growing in volume. They’re actively impacting Australians’ retirement savings,” Moros said.
“While resource constraints are understandable, implementing robust DMARC protection isn’t optional in today’s threat landscape – it’s essential infrastructure that stands between members’ life savings, their privacy and increasingly sophisticated fraud campaigns targeting these critical financial institutions.”
