The Australian Prudential Regulation Authority has written to all Registrable Superannuation Entity (RSE) licensee board chairs, reiterating expectations on information security and robust authentication controls following recent credential stuffing attacks that exposed weaknesses across the superannuation industry. The letter reminds entities of their obligations under Prudential Standard CPS 234 Information Security and sets out actions to assess and uplift authentication practices. RSE licensees are expected to complete a self-assessment of information security controls, ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access, and notify APRA of any material control weaknesses or breaches. Boards are also asked to identify the Financial Accountability Regime (FAR) Accountable Person(s) responsible for CPS 234 compliance.
Australian Prudential Regulation Authority 2025-06-10
Australian Prudential Regulation Authority instructs RSE licensees to self-assess CPS 234 controls and strengthen multi-factor authentication after credential stuffing attacks
The Australian Prudential Regulation Authority has reminded Registrable Superannuation Entity licensee board chairs of their obligations under Prudential Standard CPS 234 Information Security, following credential stuffing attacks. Entities must conduct a self-assessment of security controls, implement multi-factor authentication for high-risk activities, and report any material control weaknesses to APRA.