APRA initiates cyber crack-down on super funds | Australian Markets

The Australian Prudential Regulation Authority (APRA) has imposed particular necessities on superannuation fund trustees to fulfill their obligations with respect to cyber security and resilience.

The regulator mentioned current “credential stuffing” assaults had strengthened its issues about “persistent weaknesses in superannuation licensees’ information security controls, particularly those related to authentication”.

The superannuation funds recognized as having been the subject of the “credential stuffing” assaults are being held to greater necessities by the regulator involving being required to interact specialist moderately than undertake self-assessment.

The funds understood to have been affected by the assaults which occurred in April embody AustralianSuper, ART, Rest and Hostplus.

“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” the letter to trustee boards mentioned.

“The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations as outlined in the standard and associated guidance (including CPG 234 and previous guidance on Multi-Factor Authentication (MFA)), and current industry practice,” it mentioned.

“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents,” the letter mentioned.

The letter then went on to element what APRA described as required actions it expects of superannuation funds:

1. Perform a self-assessment of the entity’s present data security controls.

• The evaluation should consider the implementation and effectiveness of authentication controls. It should think about the evolving menace panorama and if stronger controls needs to be applied.
• At minimal, APRA expects entities to require MFA or equal controls for all high-risk actions (corresponding to altering member particulars, withdrawals, benefit cost / switch / rollover requests, or investment switching) and for all administrative or privileged entry. Solutions ought to think about accessibility for deprived teams or those that might legitimately opt-out of sure digital channels.

1. Where sturdy authentication controls (together with requiring MFA or equal controls for high-risk actions and privileged entry) haven’t been applied or are poor:

• Submit to APRA a materials control weak point notification in accordance with paragraph 35(a) of CPS 234 or present a clear rationale on why the recognized challenge (i.e. deficiency in authentication controls) is not materials. This rationale should element how your general control setting, together with different compensating controls, appropriately manages the related risk.
• If a materials control weak point is recognized and notified to APRA, conduct a breach evaluation to find out if this additionally constitutes a breach of CPS 234 and, in that case, submit a formal breach notification to APRA.

1. Advise of the RSE licensee’s Accountable Person(s) below the Financial Accountability Regime (FAR) with duties associated to CPS 234 compliance, and if more than one, specify what facets of compliance every of their duties cowl.

The regulator mentioned it expects the superannuation funds to finish the actions by no later than 31 August.