On Jun. 10, AST APRA wrote on super sector authentication controls.
AST APRA published letter requiring specific actions to confirm compliance with Prudential standard CPS 234: information security, after recent credential stuffing attacks that exposed persistent weaknesses in relevant authentication practices.
AST APRA noted gap between expectations outlined in CPS 234 and associated guidance and current industry practice, particularly regarding authentication controls.
AST APRA reminded all licensees of binding obligations under paragraph 21 of CPS 234 requiring implementation of information security controls commensurate with vulnerabilities, threats, criticality, as well as sensitivity of information assets.
Standard mandates entities maintain cyber resilience reflecting their critical role in system and responsibility to members protecting retirement savings and member data.
Additionally, it observed weaknesses in authentication controls indicating inadequate control environment posing unacceptable threat to security of member funds and data.
Required Actions by Licensees
Perform self-assessment of entity's existing information security controls evaluating rollout, effectiveness of authentication controls considering evolving threat landscape.
Require multi-factor authentication (MFA) or equivalent for high-risk activities including changing member details, withdrawals, benefit payments, transfers, rollover requests.
MFA or equivalent required for all admin or privileged access, considering accessibility for disadvantaged groups or those legitimately opting out of digital channels.
Where robust authentication controls have not been implemented or are deficient, entities must submit material control weakness notification under paragraph 35(a) of CPS 234 or provide clear rationale why identified deficiency is not material.
Rationale must detail how overall control environment, like compensating controls, appropriately manages associated risk; if material control weakness identified and notified to APRA, entities must conduct breach assessment to determine the below.
To determine if it breaches CPS 234, submit formal breach notification if applicable.
Entities must advise of licensee's accountable person(s) under financial accountability regime (FAR) with responsibilities re CPS 234 compliance, specifying coverage areas.
Special Purpose Engagements
AST APRA is issuing separate communications to certain licensees directly affected by recent credential stuffing incidents; these entities required to undertake special purpose engagement rather than self-assessment to assess adequacy, effectiveness.
AST APRA remains focused on critical issue and will continue pursuing through supervisory and other regulatory actions as necessary; expects all trustees regardless of size to treat matter with urgency and priority in line with risks and duty.
Effectiveness
All required actions must be completed no later than Aug. 31, 2025.
