Australia’s financial regulator has issued an urgent directive to all superannuation funds, demanding they assess and strengthen their authentication controls following a series of damaging credential stuffing attacks earlier this year. The Australian Prudential Regulation Authority (APRA) has given fund operators until the end of August to identify and report any remaining security weaknesses in their systems, as concerns mount over the industry’s vulnerability to cyber threats.
Deputy Chair Margaret Cole emphasized that recent attacks have exposed persistent gaps in the sector’s cybersecurity defenses, particularly around user authentication systems. She noted that while APRA has consistently stressed the importance of robust cyber protection, current security measures are failing to keep pace with evolving threats and the critical nature of the member data and assets at stake. The regulator is demanding faster and more comprehensive implementation of essential security controls across the industry.
The new requirements mandate that superannuation funds implement multi-factor authentication or equivalent protections for all high-risk member activities, including changes to personal details, withdrawals, benefit payments, transfers, and investment switching. Additionally, enhanced authentication must be applied to all administrative and privileged system access. APRA has specifically noted that security solutions must remain accessible to disadvantaged groups and those who may legitimately choose to avoid certain digital channels.