Thought that a poor rate of return, high fees or Trump’s constant attacks were bad for your super? Now the hackers are at the door, and APRA’s not having it.

It’s all about the reputation of the $4 trillion Australian superannuation system, says APRA. In a ‘must improve’ letter sent to fund operators today, APRA wants to make sure the industry starts caring a little more about hackers.

And it’s not a directive without merit, either, following a recent cyberattack on HostPlus, REST and AustralianSuper. Millions of personal data records - and even some retirement cash - were made off with in that one. And that’s not to mention big hacks or Optus and Medibank in recent years. 

So with these cases fresh in everyone’s minds, the prudential regulator has fired a very public warning shot at the broader super industry. APRA spent Tuesday calling out “persistent weaknesses” in authentication controls and demanding immediate improvements.

The message? Do better. And do it fast.

How hackers are going after your data and your super 

The warning comes after a series of credential stuffing attacks — where hackers use stolen login credentials from unrelated breaches to gain access to user accounts — exposed glaring gaps in how some super funds handle authentication.

If you’ve ever used the same password twice for different logins, you’re at risk.

It’s a relatively simple and common hack, yet one that shouldn’t really be possible at a multi-billion dollar super fund.

These aren’t small outfits with shoestring budgets — they’re systemically significant institutions tasked with safeguarding the retirement savings of millions of Australians.

What are APRA’s cyber demands on funds?

Under something catchily-named "Prudential Standard CPS 234", super funds already have a legal obligation to maintain information security controls that match the sensitivity of the data they hold. 

But APRA says too many funds are still falling short on the basics. Simple stuff like multi-factor authentication (MFA) for high-risk activities like fund withdrawals, account changes, or privileged system access.

Now, the regulator is forcing the issue.

Every RSE (Registrable Superannuation Entity) licensee must complete a detailed self-assessment of their authentication controls by 31 August. If they identify any material weaknesses — or if they don’t have robust MFA in place — they need to report it to APRA and explain why it hasn’t already been fixed. And if it amounts to a breach of CPS 234, they’ll need to lodge that too. And nobody wants to be caught in public not having done the required homework.

The buck won’t stop with IT teams either. Funds must formally nominate the individual or individuals responsible for CPS 234 compliance under the Financial Accountability Regime (FAR), ensuring there’s a name — and potential consequences — tied to any failure. This is similar to how banks have to name people responsible for certain business units under the Banking Executive Accountability Regime (BEAR), introduced around the time of the last Royal Commission into the banks.

Why it matters

This is more than just regulatory housekeeping. Cybercrime is on the rise, and retirement savings are a juicy target. The superannuation sector may not be consumer-facing in the same way banks are, but its role in the financial system is just as critical — if not more so, given the scale of assets under management.

For APRA, this is a moment to draw a line in the sand.

“We expect all trustees—regardless of size—to treat this matter with the urgency and priority it demands,” Deputy Chair Margaret Cole wrote. “An inadequate control environment poses an unacceptable threat to the security of member funds and data.”

Some funds — including those directly affected by the recent attacks — will face even closer scrutiny. They’ll be required to conduct a special-purpose engagement to assess their authentication systems, going beyond the self-assessment process required of the broader industry.

Meanwhile, APRA has made it clear this won’t be a one-off. The regulator will continue to monitor compliance and isn’t ruling out further regulatory action — including changes to how information security obligations are enforced sector-wide.

In short: the honeymoon is over. Super funds that still think cyber risk is a technical problem — not a governance one — are about to get a wake-up call.