APRA calls for stronger cyber resilience in superannuation

Australia’s $4 trillion superannuation sector has been warned to close cyber security gaps after recent attacks exposed weaknesses and tested its ability to co-ordinate responses.

The Australian Prudential Regulation Authority (APRA) has urged superannuation funds to strengthen their cyber resilience and authentication controls after a series of attacks in March and April targeted individual members.

While the incidents were contained, the regulator said they underscored the industry’s attractiveness to threat actors and the need for sector-wide collaboration to protect member trust.

While hosting the Superannuation Industry Roundtable with government agencies, regulators, and industry leaders, APRA said the super sector’s systemic importance and asset size made it a high-value target for cyber criminals.

The regulator exhorted funds to act immediately when weaknesses are identified, continually test their defences, and co-ordinate closely with peers rather than operating in isolation.

APRA noted that funds with clear accountability for member protection and strong understanding of payment processes responded faster and recovered funds more effectively than others.

It also warned that public perception and member trust can be damaged as much by poor communications as by the attack itself.

National cyber security co-ordinator, Lieutenant General Michelle McGuinness, told the meeting that threat actors increasingly replicate successful methods across entire sectors.

She said competition can sometimes slow co-operation and called for rapid information sharing during incidents to boost responsiveness and resilience and emphasised the importance of clear stakeholder engagement, rehearsed incident response plans, and knowing where sensitive data is stored.

McGuinness further warned that recovery from an attack can stretch over several months, involving remediation, reviews, legal action, and regulatory scrutiny, while praising organisations willing to share lessons learned and acknowledging that risks in one sector should be treated as potential threats across all industries.

Several funds shared operational lessons from recent incidents, including the challenges of low member engagement during crises, the need for consistent messaging, and proactive media handling, according to APRA.

Entities stated that social media monitoring proved the fastest way to track emerging issues, while clear communication channels with third-party providers (such as administrators and banks) were critical to co-ordinated responses.

Strong partner relationships, regular information sharing, and shared digital workspaces enabled rapid action across the superannuation supply chain.

The Australian Signals Directorate said the financial sector remains a target for both profit-driven and state-sponsored attacks.

Recent trends include credential stuffing, ransomware and data breaches, distributed denial-of-service activity, and exploitation of unpatched vulnerabilities.

APRA stated that registrable superannuation entity licensees and operators must address immediate threats during an attack, but called for the development of a co-ordinated industry response capability.

No changes are planned to the Cyber Operational Intelligence-led Exercises program, and APRA reiterated its expectations on multifactor authentication, as outlined in recent industry correspondence.