Funds such as AustralianSuper, ART, Rest, and Hostplus were identified as targets in the April attacks and are now subject to heightened regulatory scrutiny. APRA has pressed these funds to employ specialist evaluations instead of relying on internal assessments to enhance their cyber resilience.

APRA emphasized the ongoing need for robust cybersecurity measures to protect critical member data and assets. Despite previous guidance, the regulator noted a gap between their cybersecurity standards, including expectations around multi-factor authentication (MFA), and the current practices within the superannuation industry.

Sally Jameson, APRA's Head of Superannuation Policy, highlighted the urgency: “The evolving threat landscape requires faster and comprehensive implementation of essential cyber defenses in the superannuation sector, alongside strong incident response capabilities.”

  1. Conduct thorough self-assessments of current information security controls.
  2. Assess the execution and efficiency of authentication controls against evolving threats, ensuring MFA or equivalent solutions are employed particularly for high-risk activities and privileged access.
  3. Notify APRA of any significant control weaknesses, following CPS 234 guidelines, providing a detailed rationale for non-material classifications and addressing potential breaches.
  4. Identify and inform APRA of the Accountable Person(s) responsible under the Financial Accountability Regime, clearly delineating their CPS 234-related responsibilities.

APRA has mandated that superannuation funds accomplish these requirements by 31 August. The directive aims to fortify the sector's cyber resilience amid a rapidly evolving digital threat environment.