APRA tightens the cyber screws: What’s next for super funds and their partners?

In today's environment, no organisation is immune to a cyber incident. This is especially true for the superannuation industry, as funds are custodians of trillions of dollars in member savings, making them highly attractive targets for cyber criminals.

Recent cyber events have sharpened regulatory focus on the sector, prompting the Australian Prudential Regulation Authority (APRA) to issue a clear warning to all Registrable Superannuation Entity (RSE) licensees: uplift your cyber security controls, particularly in areas like identity management and multi-factor authentication (MFA), or face supervisory or regulatory actions.

This means that APRA-regulated organisations must ensure they have robust cyber protection in place, particularly in the areas of identity management and multi-factor authentication (MFA). Where these controls are weak or absent, a formal assessment must be conducted, and APRA must be promptly notified.

APRA has issued a 31 August 2025 deadline for superannuation funds to comply with these latest requirements. As this quickly approaches, let's take a closer look at how super funds can improve cyber controls:

1. Understand the obligations related to CPS 234

CPS 234 (Information Security) is a binding prudential standard, not just guidance. It requires APRA-regulated entities to maintain robust information security capabilities, effectively manage risks, and report material incidents (within 72 hours). These obligations are designed to protect the organisation, its customers, and the broader financial system.

Cyber risk has become a board-level concern, tied directly to governance, accountability, and financial resilience. APRA's expectations in this space should not be seen as optional or advisory. To ensure compliance and resilience, start by reviewing the relevant prudential standards and guidance on APRA's website, or speak directly with your APRA supervisor. Business leaders must have a clear understanding of how the organisation currently aligns with APRA's requirements and where any gaps may exist.

2. Prioritise strong authentication and identity controls

APRA has emphasised that superannuation funds must reduce exposure to credential-based attacks such as credential stuffing. At a minimum, this means implementing multi-factor authentication (MFA) across all relevant user accounts and systems.

In the long term, APRA expects regulated entities to adopt stronger identity and access controls, which may include principles of zero trust, such as continuous verification and limited access by default. Under this approach, even if an attacker gains access to a user's account, they must still reverify their identity to carry out high-risk actions, such as transferring funds or updating banking details.

3. Monitor for common credential stuffing attacks

Credential stuffing -where attackers use stolen credentials from other breaches to gain unauthorised access, remains a prevalent threat. Funds should continuously monitor for abnormal login patterns and proactively block suspicious activity. Aligning with APRA's firm expectation on security controls will not only enhance the current approach but also positions the industry to proactively rebuild trust.

As cyber-attacks become more targeted and sophisticated, even mature environments need regular re-evaluation. If gaps emerge, it's not only prudent but expected to report the weaknesses to APRA. A CPS 234 breach assessment may be appropriate, along with formal notification, depending on the nature and impact of the incident.

4. Don't overlook outsourcing: SPS 231 / CPS 230 matters too

The responsibility for cyber security doesn't end with the superannuation fund. SPS 231 (Outsourcing), soon to be replaced by CPS 230 (due to take effect from 1 July 2025), places additional obligations on APRA-regulated entities to manage risks associated with third-party service providers, especially those with access to customer data or manage critical operations.

Technology partners are not just vendors; they are part of the risk chain. They must actively contribute to strengthening identity management, access controls, and secure integration practices.

What can partners do?

If you're a service provider supporting a superannuation fund, your role extends beyond delivering solutions: you're a key player in helping customers strengthen authentication processes, particularly around lifecycle identity management and multi-factor authentication (MFA) enablement.

But that's just the foundation. Partners can also:

• Support regular access reviews to ensure users have the appropriate permissions at every stage of their employment.
• Enable anomaly detection to flag unusual behaviour patterns that may indicate credential compromise.
• Streamline identity offboarding to promptly revoke access when users leave or change roles.
• Promote secure integration practices when connecting third-party tools and platforms.
• Offer training or education to help superannuation fund staff and members understand cyber risks and use authentication tools effectively.

Looking ahead

Now is the time to protect your identity and account infrastructure. APRA's increased scrutiny on cyber resilience is part of a broader shift: toward a financial system where trust is protected by design. Strengthening identity and access infrastructure now not only reduces the risk of breach but also lays the foundation for more secure digital services.

In a digital world, if you get identity right, the rest of your cyber strategy becomes much easier to manage. Contact us for an APRA MFA Readiness Assessment.