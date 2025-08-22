Newspaper icon
The latest issue of Financial Standard now available as an e-newspaper
READ NOW

Superannuation

APRA sets higher cybersecurity expectations for trustees

BY KARREN VERGARA  |  FRIDAY, 22 AUG 2025   12:27PM

Trustees' cyber-resilience is riding high on APRA's enforcement agenda over the next four years, but in the short term the regulator warned it will escalate action where necessary if they cannot prove to have basic measures in place.

The prudential regulator is leaning into trustees' ability to manage cybersecurity risks, particularly in the areas of multi-factor authentication (MFA) and third-party arrangements.

"APRA will prioritise targeted supervisory engagements to assess entities progress in uplifting cyber-resilience. These engagements will focus on evaluating specific cyber-control areas and identifying potential single points of failure within entity systems, processes and dependencies," APRA wrote in its newly published 2025-26 Corporate Plan.

At a media briefing yesterday, APRA chair John Lonsdale said that super funds are "making progress" on implementing MFA.

"We've made our wish very clear as to what we'd like to see. I think, certainly for funds that were impacted, they can see the value in authentication. But we're asking for progress on that, and we want that to happen," he said.

Attempted credential stuffing attacks on Cbus, Insignia Financial, Hostplus, AustralianSuper and Australian Retirement Trust in April put into question just how seriously trustees were taking their cybersecurity obligations under CPS234.

The coordinated attacks resulted in about $750,000 taken from 10 members of AustralianSuper and exposed gaps in cybersecurity basics such as MFA.

Two months later, APRA sent a scathing letter to trustees along with action points that must be fulfilled by August 31.

Chief among them is to perform a self-assessment of the super fund's existing information security controls.

At minimum, APRA said it expects entities to require MFA or equivalent controls for all high-risk activities, such as changing member details, withdrawals, benefit payment or transfer or rollover requests, as well as investment switching.

Overall, Lonsdale said that super funds are tracking with the upcoming deadline and requirements.

"We're talking to [super funds] all the time, we will be asking a lot of questions. We will be insisting, that they do what we would like them to do, and if that doesn't work, well, we can escalate up the toolkit that we've got," he said.

"This is a high priority issue for us. More broadly, beyond super funds, because this issue of cyber goes to all the industries that we regulate. It's an incredibly important risk that we need to manage. We've got a long-standing standard, it goes back to 2019, but the risk is constantly evolving."

Super funds must also alert APRA each time they experience material control weaknesses.

"We are looking at what happens, not if, but when, there is a problem, and can we resolve that problem with the entity and with other regulators in the most efficient way that we can," he said.

"On operational risk more broadly, we've got CPS230 that complements the cyber standard that we have, and third parties is a really key thing we're leaning into there."

Overall, Lonsdale added that the corporate plan was developed against the backdrop of an increasingly complex and uncertain operating environment.

"Heightened geopolitical tensions and policy uncertainty in major economies have the potential to create risks to financial stability. In this environment, the importance of a robust prudential framework takes on greater significance. A stable and resilient financial system - one that absorbs shocks and does not amplify them - remains critical to supporting the economy through periods of turbulence," he said.

-

Read more: APRAMFAAustralianSuperCorporate PlanAustralian Retirement TrustCbusHostplusInsignia FinancialJohn Lonsdale
VIEW COMMENTS

Related News

Adviser banned for UGC, Shield involvement
Treasury launches retirement phase consultations
APRA slaps $5.5m capital penalty on KeyInvest
HESTA snags Equip Super risk chief
Betashares adds global bond ETF to lineup
Mercer Super, Virgin Money Super members caught in Australia Post burglaries
ART raises stake in Tabcorp
Future Fund taps AustralianSuper for property director
Commonwealth Super names chief risk and compliance officer
AustralianSuper, ASFA, Macquarie chiefs invited to Roundtable

Editor's Choice

ASIC freezes assets of First Mutual Private Equity

MATTHEW WAI
The Federal Court imposed urgent interim orders to freeze the assets of First Mutual Private Equity (FMPE) and its sole director Gregory Raymond Cotton, with ASIC concerned more than $50 million of investor funds is at risk.

Liquidity issues hurting Healthbridge Capital investors

KARREN VERGARA
Healthbridge Capital investors have been locked out of their money since March amid a liquidity crunch as corporate regulator ASIC stays mum about its knowledge or investigation into the potential collapse of another managed investment scheme.

APRA sets higher cybersecurity expectations for trustees

KARREN VERGARA
Trustees' cyber-resilience is riding high on APRA's enforcement agenda over the next four years, but in the short term the regulator warned it will escalate action where necessary if they cannot prove to have basic measures in place.

Local custody assets hit record $5.6tn

JAMIE WILLIAMSON
Custodians' asset pools grew by 3% in the first half of the year, with HSBC's securities services division recording the largest jump.

Videos

Brought to you by
MORE VIDEOS

Products

Financial Standard Guide To Series

'Guide To' Series

Pocket investment guides featuring adviser case studies and a glossary.
MORE INFO
Financial Standard Publisher's Forum

Publisher's Forum

Investing trends and strategies from the industry’s thought leaders.
MORE INFO
Financial Standard Product Showcases

Product Showcases

Putting the spotlight on investment products that matter.
MORE INFO

Expert Feed

Industry Events

MORE INDUSTRY EVENTS
SEP
1-15

Don't delay, FAAA Congress early bird tickets close Sept 30. 

SEP
25

FICAP 'Who wants to be a RockStar?' 

OCT
16-17

IGCC Summit 2025: Climate Investment Insights for the Asia Pacific 

OCT
16

Advisers in Focus - Navigating the private credit boom 

OCT
30

Retirement Income Forum 

Featured Profile

MORE PROFILES
Georgina Dudley

Georgina Dudley

CHIEF EXECUTIVE OFFICER
JANA INVESTMENT ADVISERS PTY LIMITED
Georgina Dudley had been with JANA for 14 years before taking on the top job and she is uniquely positioned to lead the firm forward in a quickly changing environment. Eliza Bavin writes.
READ MORE
The Financial Standard podcast
Tune in each week as we discuss the latest developments in Australia's wealth management industry.
Financial Standard podcast
Spotify
Apple Podcasts
Amazon Music
YouTube
Follow Financial Standard on Facebook
Follow Financial Standard on Twitter
Follow Financial Standard on LinkedIn
Follow Financial Standard on Instagram
ISS - Institutional Shareholder Services, © Copyright 2025, All Rights Reserved
MarketSage  -  MarketPulse  -  MarketPro  -  Media