The Australian Prudential Regulation Authority (APRA) has written to all Registrable Superannuation Entity (RSE) licensee board chairs, reinforcing expectations for information security and robust authentication controls following recent credential stuffing attacks that highlighted weaknesses across the superannuation industry. APRA reminded RSE licensees of their obligations under Prudential Standard CPS 234 Information Security and set out actions to assess and uplift authentication practices. These include completing a self-assessment of information security controls, ensuring multi-factor authentication (MFA) or equivalent protections for high-risk activities and privileged access, notifying APRA of any material control weaknesses or breaches, and identifying the Accountable Person(s) under the Financial Accountability Regime (FAR) responsible for CPS 234 compliance.
Australian Prudential Regulation Authority 2025-06-10
Australian Prudential Regulation Authority directs superannuation trustee boards to review CPS 234 controls and strengthen authentication after credential stuffing attacks
The Australian Prudential Regulation Authority (APRA) directed Registrable Superannuation Entity (RSE) licensee board chairs to enhance information security and authentication controls due to recent credential stuffing attacks. APRA emphasized compliance with Prudential Standard CPS 234, urging RSEs to self-assess security controls, implement multi-factor authentication for high-risk activities, report significant control weaknesses, and designate Accountable Persons under the Financial Accountability Regime for CPS 234 compliance.