Industry fund hit with license conditions over cyber breach
Industry superannuation fund NGS Super has had more license conditions imposed on it over a cyber security breach.
The Australian Prudential Regulation Authority (APRA) said it has imposed additional licence conditions on NGS Super Pty Limited (NGS), effective 11 December 2023, “after significant deficiencies were identified in NGS’ cyber controls”.
It said the additional licence conditions follow an internal report prepared by NGS’ internal auditor in August 2022, an independent tripartite review undertaken at APRA’s request and delivered in April 2023, and a cyber incident in March 2023.
“The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security (CPS 234), while the cyber incident involved a significant amount of data being lost and NGS’ systems being compromised for a period,” APPRA said.
It said that while NGS has taken steps to address the recommendations in the internal audit and tripartite review reports, APRA has put in place additional licence conditions that require NGS to engage an independent third party to:
- provide assurance regarding NGS’ remediation activities and to address the recommendations contained in the internal audit and tripartite review reports; and
- conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.
- On completion of the operational effectiveness review, NGS is required to provide APRA with an attestation from the NGS Chair that the remediation actions are complete and effective, and that the entity is compliant with CPS 234.