APRA warns super funds over cyber breaches, threatens fines: reports
Make us a preferred source
Make us a preferred source on Google
The news: The Australian Prudential Regulation Authority (APRA) has warned superannuation funds that they must implement basic user authentication measures within months, according to media reports.
The context: A letter from APRA deputy chairwoman Margaret Cole to leading Australian super funds says that the $4.2 trillion sector is not meeting cybersecurity standards despite increased pressure to rectify weaknesses.
The watchdog's warning letter comes after a co-ordinated cyberattack on the sector saw hackers steal thousands from retired customers and exposed shortfalls in super funds’ security protocols.
The letter said the recent credential stuffing attacks reinforced its concerns about weaknesses in superannuation funds’ information security controls.
“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” APRA said, according to a letter seen by The Australian.
“The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations … and current industry practice."
“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents.”
According to the AFR, Cole ordered the super funds to implement multifactor authentication for all high-risk activities including changing member details, withdrawals and rollover requests, by the end of August.
Failure to meet the requirements would mean the funds must refer to APRA the executive in charge of security under the Financial Accountability Regime, including the likelihood of individuals being punished for failure to comply.
The sources: The Australian, AFR, Capital Brief
