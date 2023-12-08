Almost nine months on from a cyber breach that saw member data taken, the $14 billion super fund will have to contend with additional licence conditions as it looks to remedy "significant deficiencies" in its cyber controls.

As first reported by Financial Standard, on March 17 the super fund's systems were compromised in a cyber-attack, with "some limited data" accessed. NGS was adamant its systems were only accessed for a short period.

At the time, NGS Super said its network was shut down immediately and an investigation was commenced, alongside comprehensive cybersecurity protocols and enhanced network monitoring.

Today, APRA said the incident "involved a significant amount of data being lost."

APRA said the decision to implement the additional conditions follow an internal report prepared by NGS's internal auditor in August 2022 and an independent review undertaken in April of this year at APRA's request following the attack.

"The reviews identified deficiencies in NGS' compliance with Prudential Standard CPS 234 - Information Security (CPS 234), while the cyber incident involved a significant amount of data being lost and NGS' systems being compromised for a period," the regulator said.

It added that while NGS has taken steps to address the recommendations in the reviews, the additional conditions now require the fund to engage an independent third party to provide assurance regarding remediation activities and to address the recommendations of the reviews. The third party must also conduct an operational effectiveness review of the controls and frameworks in place at NGS aligned to CPS 234.

In a statement, NGS said it is working with APRA to meet the additional requirements.

"We've reviewed our processes and acted to further strengthen the protection of our members' data and retirement savings. We've had multifactor authentication for a very long time and have now implemented enhanced cyber controls across the fund and we'll continue to do so to minimize risk and maximise protection of our information security," the fund said.

"We remain confident of the actions we've taken and continue to do following a thorough review of our cyber security. We're also committed to working with APRA and an independent party to identify and implement additional actions. Ultimately, this will lead to further assurance and protection for our members.

"We use administrative, physical, and technical safeguards to protect the confidentiality and integrity of personal information and data and are committed to protecting our members' personal information."

Regulators have been encouraging the financial services industry for some time now to enhance their cyber protections.

According to MinterEllison's 2023 Cyber Risk Report, 82% of survey respondents from the financial services sector ranked cyber risk among their top five priorities. However, only half of respondents (across all sectors) believed their organisation had sufficient resources to monitor and respond to its cybersecurity needs.

ASIC chair Joe Longo has also made clear that boards will be held to account when things go wrong on the cyber front.

"ASIC expects directors to ensure their organisation's risk management framework adequately addresses cybersecurity risk, and that controls are implemented to protect key assets and enhance cyber resilience," he has said previously.

"Failing to do so could mean failing to meet your regulatory obligations."