Super funds to take stock of information security controls

The super funds that saw member accounts breached by cybercriminals in April have been instructed to undertake a "special purpose engagement," as APRA asks all trustees to review their compliance with Prudential Standard CPS 234 Information Security.

After some super funds were targeted by cybercriminals in April, the prudential regulator is now reminding trustees of its expectations regarding information security. APRA said the incident, which it referred to as 'credential stuffing', reinforced the "persistent weaknesses" in licensees' information security controls.

Five major super funds saw their systems breached when cybercriminals access members' accounts using personal details and passwords available on the dark web, with a select number of members having their retirement savings stolen.

In a letter to super fund chairs, APRA deputy chair Margaret Cole said that although it "has consistently emphasised the importance of robust cybersecurity, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect."

As such, APRA has issued all super funds an assignment.

All RSEs must perform a self-assessment of their existing information security controls, which must include evaluating the effectiveness of authentication controls and whether stronger controls are required.

APRA said it expects multi-factor authentication (MFA) or equivalent controls for all high-risk activities, including changing member details, withdrawals, benefit payments/transfers/rollover requests and investment switching, and for all administrative or privileged access.

"Solutions should consider accessibility for disadvantaged groups or those who may legitimately opt-out of certain digital channels," APRA said.

Where funds have not implemented such authentication controls, or they're found to be deficient, they must submit a material control weakness notification to APRA and provide a clear explanation as to why the issue is not material and how it is appropriately managed. They must then also conduct a breach assessment to determine whether it also constitutes a breach of CPS 234.

Finally, all funds must advise APRA of their accountable person(s) under the Financial Accountability Regime (FAR) with responsibilities related to CPS 234 compliance, including specifics of those responsibilities.

However, the funds which were confirmed to have been targeted in the credential stuffing incident - AustralianSuper, Australian Retirement Trust, Hostplus, Insignia Financial and Rest - have been given a separate task.

Instead of completing the self-assessment, these funds must undertake a special purpose engagement to assess the adequacy and effectiveness of their controls. This involves an auditor - either existing or specially engaged by the fund - to provide a report on the matters specified by APRA and their compliance with regulatory requirements and the fund's own risk management framework.

APRA expects all funds to have completed these tasks by August 31.

"APRA remains firmly focused on this critical issue and will continue to pursue it through supervisory and other regulatory actions as necessary. APRA expects all trustees-regardless of size-to treat this matter with the urgency and priority it demands, in line with the risks they manage and their duty to protect member interests," Cole said.

"The industry is systemically significant, and many millions of Australians rely upon it for the safekeeping of funds to support their retirement. The obligation of superannuation entities to ensure the safety and security of members' retirement savings and member data is non-negotiable."