APRA’s deputy chair Margaret Cole said the attacks had reinforced the regulator’s concerns about weaknesses in funds’ information-security controls, as she reminded funds they have a “non-negotiable” obligation to keep members’ money and data safe.
APRA deputy chair Margaret Cole.Credit: Louise Kennerley
“Recent credential stuffing attacks have reinforced APRA’s concerns about persistent weaknesses in RSE [registrable superannuation entity] licensees’ information-security controls, particularly those related to authentication,” Cole said.
“Although APRA has consistently emphasised the importance of robust cybersecurity, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect.”
The Association of Superannuation Funds of Australia said APRA’s expectations were fair and reasonable, and the industry body had started work on establishing sector-wide minimum fraud controls.
AustralianSuper said the fund had multi-factor authentication on its app and web portal, and there were also back-end systems that provided further protection. Security upgrades continued to be rolled out, it said.
Rest said multi-factor authentication was used for a number of processes including member access logins and registering for the app, and it also monitored for fraud in other ways.
Cbus said multi-factor authentication was already in place for key changes on members’ accounts, including to change password or contact details, and to request payments or withdrawals. The fund said in April that it detected a spike in login attempts, but it found no evidence of funds being stolen or of attackers accessing members’ personal information or accounts.
Australian Retirement Trust said the fund had introduced multi-factor authentication last year and it would continue to work closely with regulators to support members, including looking at helping members who had not opted into multi-factor authentication.
Insignia said it had multi-factor authentication in place for Expand, the platform that was targeted in this year’s cyberattack, for key activities such as registration, withdrawals and bank account changes.
Hostplus also already has multi-factor authentication in place.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.
About The Author
