APRA has imposed additional licence restrictions on NGS Super, which suffered a cyber attack earlier this year.
Significant deficiencies were identified in the fund’s cyber controls, APRA said, which has 114,000 members and $14 billion in assets under management.
The fund suffered a cyber attack in March where a cyber attacker gained access to some of its systems for a short period of time.The super fund assured members the incident had not impacted their super savings or the funds’ assets, which remained secure on a separate platform.
The restrictions, which will apply from 11 December, follow an internal report by NGS and an independent tripartite review undertaken at APRA’s request.
The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security, while the cyber incident involved a significant amount of data being lost and NGS’ systems being compromised for a period.
APRA acknowledged NGS to taken steps since the attack to address the review’s recommendations, the additional license conditions will require NGS to engage with an independent third party to provide assurance regarding NGS’ remediation activities and to address the recommendations contained in the internal audit and tripartite review reports and conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.
NGS is required to provide APRA with an attestation from its chair that the actions are complete and effective and are compliant with CPS 234.
A statement from NGS Super said: "NGS Super is working with APRA to meet the additional requirements they have requested of the fund, primarily in relation to compliance with CPS 234. We’ve reviewed our processes and acted to further strengthen the protection of our members’ data and retirement savings. We’ve had multifactor authentication for a very long time and have now implemented enhanced cyber controls across the fund and we’ll continue to do so to minimize risk and maximize protection of our information security.
"We remain confident of the actions we’ve taken and continue to do following a thorough review of our cyber security. We’re also committed to working with APRA and an independent party to identify and implement additional actions. Ultimately, this will lead to further assurance and protection for our members.
"We use administrative, physical, and technical safeguards to protect the confidentiality and integrity of personal information and data and are committed to protecting our members' personal information."
In May, APRA wrote to its regulated entities to reinforce the importance of multifactor authentication to protect sensitive data from cyber attacks.
In an open letter, Alison Bliss, general manager for operational resilience, cross industry division, told APRA-regulated entities that it was a “material security control weakness” if firms failed to comply.
“Multifactor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.”