Super funds urge against escalating minor cyber incidents to APRA

Mike Taylor

Managing Editor and Publisher

7 March 2024

Superannuation funds have made it clear that they do not want any tightening of cyber security legislation to result in having relatively minor incidents defaulting into reports to the Australian Prudential Regulation Authority (APRA).

While at least one industry superannuation fund continues to deal with APRA over a cyber-security incident a year ago, the Association of Superannuation Funds of Australia (ASFA) has made clear to the Government that its member funds do not want minor security incidents being automatically escalated to APRA.

Responding to consultation around Cyber Security legislative changes, it said that the threshold for security incident reporting to APRA were those “that materially affected or had the potential to materially affect, financial or non-financially, the entity”.

“Member organisations have observed that in may be considered that engagement with the Australian Signal Directorate (ASD) during minor incidents does not meet this materiality criteria,” it said.

ASFA recommends that consideration be given to

1. policy makers working with the regulators to devise a way to streamline reporting
2. either: o making clarifications in the legislation to the effect that:

▪ the ASD is not a regulatory body

▪ reporting security incidents or events to the ASD does not automatically create an obligation under APRA CPS 2345 to report to APRA; or

o creating a provision for security management support services for entities responding to security events, as opposed to incidents. This would create a clear separation between regulated incident reporting under the SOCI Act and the proposed Ransomware Reporting regime, and other security events/low impact incidents, which would support ASD’s statutory function to provide cyber security advice and assistance to industry and the community.

“Whilst our member organisations appreciate the Government’s aims to help manage events and the wider economic impacts, they are concerned that, from a superannuation perspective, the [Security of Critical Infrastructure] SOCI Act potentially is too blunt an instrument, and that the proposals do not give sufficient weight to existing regulatory and contractual obligations,” ASFA said.

“Our member organisations appreciate the benefits of threat intelligence sharing across the superannuation sector, however, they believe that more needs to be done to ensure the anonymity of reporting entities,” it said.

“There are likely to be occasions where it is critical to ensure anonymity, in particular as we believe that this, in itself, would greatly encourage businesses to self-report.”