APRA initiates cyber crack-down on super funds

The Australian Prudential Regulation Authority (APRA) has imposed specific requirements on superannuation fund trustees to meet their obligations with respect to cyber security and resilience.

The regulator said recent “credential stuffing” attacks had reinforced its concerns about “persistent weaknesses in superannuation licensees’ information security controls, particularly those related to authentication”.

The superannuation funds identified as having been the subject of the “credential stuffing” attacks are being held to higher requirements by the regulator involving being required to engage specialist rather than undertake self-assessment.

The funds understood to have been affected by the attacks which occurred in April include AustralianSuper, ART, Rest and Hostplus.

“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” the letter to trustee boards said.

“The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations as outlined in the standard and associated guidance (including CPG 234 and previous guidance on Multi-Factor Authentication (MFA)), and current industry practice,” it said.

“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents,” the letter said.

The letter then went on to detail what APRA described as required actions it expects of superannuation funds:

1. Perform a self-assessment of the entity’s existing information security controls.

• The assessment must evaluate the implementation and effectiveness of authentication controls. It must consider the evolving threat landscape and if stronger controls should be implemented.
• At minimum, APRA expects entities to require MFA or equivalent controls for all high-risk activities (such as changing member details, withdrawals, benefit payment / transfer / rollover requests, or investment switching) and for all administrative or privileged access. Solutions should consider accessibility for disadvantaged groups or those who may legitimately opt-out of certain digital channels.

1. Where robust authentication controls (including requiring MFA or equivalent controls for high-risk activities and privileged access) have not been implemented or are deficient:

• Submit to APRA a material control weakness notification in accordance with paragraph 35(a) of CPS 234 or provide a clear rationale on why the identified issue (i.e. deficiency in authentication controls) is not material. This rationale must detail how your overall control environment, including other compensating controls, appropriately manages the associated risk.
• If a material control weakness is identified and notified to APRA, conduct a breach assessment to determine if this also constitutes a breach of CPS 234 and, if so, submit a formal breach notification to APRA.

1. Advise of the RSE licensee’s Accountable Person(s) under the Financial Accountability Regime (FAR) with responsibilities related to CPS 234 compliance, and if more than one, specify what aspects of compliance each of their responsibilities cover.

The regulator said it expects the superannuation funds to complete the actions by no later than 31 August.