In this guide
APRA reminds super funds of cyber obligations
Following recent cyber attacks on large super funds, including AustralianSuper and Australian Retirement Trust, the Australian Prudential Regulation Authority (APRA) has written to all RSE (Registrable Superannuation Entity) licensee board chairs, reminding them of their obligations around information security.
“The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations … and current industry practice,” the letter said.
“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents.”
APRA requires all RSE licenses to complete a self-assessment of their information security controls, ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access, and notify APRA of any material control weaknesses or breaches.
Entities must also identify their Accountable Person(s) under the Financial Accountability Regime (FAR). These actions must be completed by the end of August this year.
Leave a Reply
You must be logged in to post a comment.