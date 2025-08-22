Trustees' cyber-resilience is riding high on APRA's enforcement agenda over the next four years, but in the short term the regulator warned it will escalate action where necessary if they cannot prove to have basic measures in place.

The prudential regulator is leaning into trustees' ability to manage cybersecurity risks, particularly in the areas of multi-factor authentication (MFA) and third-party arrangements.

"APRA will prioritise targeted supervisory engagements to assess entities progress in uplifting cyber-resilience. These engagements will focus on evaluating specific cyber-control areas and identifying potential single points of failure within entity systems, processes and dependencies," APRA wrote in its newly published 2025-26 Corporate Plan.

At a media briefing yesterday, APRA chair John Lonsdale said that super funds are "making progress" on implementing MFA.

"We've made our wish very clear as to what we'd like to see. I think, certainly for funds that were impacted, they can see the value in authentication. But we're asking for progress on that, and we want that to happen," he said.

Attempted credential stuffing attacks on Cbus, Insignia Financial, Hostplus, AustralianSuper and Australian Retirement Trust in April put into question just how seriously trustees were taking their cybersecurity obligations under CPS234.

The coordinated attacks resulted in about $750,000 taken from 10 members of AustralianSuper and exposed gaps in cybersecurity basics such as MFA.

Two months later, APRA sent a scathing letter to trustees along with action points that must be fulfilled by August 31.

Chief among them is to perform a self-assessment of the super fund's existing information security controls.

At minimum, APRA said it expects entities to require MFA or equivalent controls for all high-risk activities, such as changing member details, withdrawals, benefit payment or transfer or rollover requests, as well as investment switching.

Overall, Lonsdale said that super funds are tracking with the upcoming deadline and requirements.

"We're talking to [super funds] all the time, we will be asking a lot of questions. We will be insisting, that they do what we would like them to do, and if that doesn't work, well, we can escalate up the toolkit that we've got," he said.

"This is a high priority issue for us. More broadly, beyond super funds, because this issue of cyber goes to all the industries that we regulate. It's an incredibly important risk that we need to manage. We've got a long-standing standard, it goes back to 2019, but the risk is constantly evolving."

Super funds must also alert APRA each time they experience material control weaknesses.

"We are looking at what happens, not if, but when, there is a problem, and can we resolve that problem with the entity and with other regulators in the most efficient way that we can," he said.

"On operational risk more broadly, we've got CPS230 that complements the cyber standard that we have, and third parties is a really key thing we're leaning into there."

Overall, Lonsdale added that the corporate plan was developed against the backdrop of an increasingly complex and uncertain operating environment.

"Heightened geopolitical tensions and policy uncertainty in major economies have the potential to create risks to financial stability. In this environment, the importance of a robust prudential framework takes on greater significance. A stable and resilient financial system - one that absorbs shocks and does not amplify them - remains critical to supporting the economy through periods of turbulence," he said.

