Superannuation funds have until the end of August to identify and flag any residual authentication control weaknesses in their environments following a series of credential stuffing attacks earlier this year.
The Australian Prudential Regulation Authority (APRA) wrote to all funds to remind them of their obligations to secure member funds and data.
“Recent credential stuffing attacks have reinforced APRA’s concerns about persistent weaknesses in [superannuation entities’] information security controls, particularly those related to authentication,” deputy chair Margaret Cole wrote.
“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect.”
Cole said that APRA wanted to see a “faster and more holistic implementation” of critical controls, including the application of multi-factor authentication or equivalent controls when performing certain account-related actions.
These include “all high-risk activities such as changing member details, withdrawals, benefit payment, transfer and rollover requests, or investment switching, and for all administrative or privileged access,” Cole wrote.
Security solutions also needed to be accessible for disadvantaged groups “or those who may legitimately opt-out of certain digital channels.”
All fund operators have until the end of August to assess their controls and report any weaknesses, although those that were directly impacted by the credential stuffing attacks must perform extra assessments.
Cole wrote that APRA “remains firmly focused on this critical issue and will continue to pursue it through supervisory and other regulatory actions as necessary.”
“APRA expects all trustees - regardless of size - to treat this matter with the urgency and priority it demands, in line with the risks they manage and their duty to protect member interests.”
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
