ASFA, the voice of super, has welcomed APRA’s reinforcement of the information security and authentication controls it requires super funds to adopt to help ensure superannuation accounts are protected from cyber-attacks.
“These are fair and reasonable expectations from APRA that help protect fund members, and ASFA has taken a leading role in ensuring the sector is meeting them and is well prepared for future cyber incidents,” ASFA CEO Mary Delahunty said.
“The huge responsibility of managing close to $4.2 trillion of super contributions to help members achieve a dignified and enjoyable retirement is one the sector takes seriously, which is why ASFA has been very active in implementing a range of measures to ensure the sector complies with APRA’s expectations.”
APRA has written to the sector today identifying the importance of implementing multi-factor authentication or equivalent controls. ASFA is pleased to have commenced work on establishing sector-wide minimum fraud controls and will ensure that multi-factor authentication requirements for the superannuation sector are in place by 31 August 2025.
ASFA has engaged an experienced cyber security expert with a background in superannuation and banking to help guide this work.
ASFA is also developing a Superannuation Cybersecurity Coordination & Collaboration Framework in consultation with the sector and relevant stakeholders, and understands the importance of aligning this work as much as practicable with APRA’s reasonable expectations.
The key actions ASFA is currently taking to uplift cyber resilience for the superannuation sector include:
ASFA Cyber Security Toolkit
ASFA’s recently released Cyber Security Toolkit clearly outlines legislative and other obligations as they currently stand and provides a decision-tree style matrix to help navigate step-by-step through the relevant legislative and regulatory obligations.
Cyber Incident Response
ASFA and the Department of Home Affairs’ National Office for Cyber Security (NOCS) co-hosted a Cyber Incident Response Preparation Meeting in recent weeks. The outcomes will inform a formal exercise later in the year.
Minimum Fraud Controls Guidance Update
ASFA has updated the superannuation sector’s Minimum Fraud Controls to reflect contemporary expectations – reinforcing controls such as mandatory multi-factor authentication (MFA) at login. Final publication and implementation will be aligned with APRA’s expectations on the sector of 31 August 2025.
Superannuation Cybersecurity Coordination & Collaboration Framework
ASFA is carrying out discovery work on a new coordination framework to enhance secure information sharing and collaborative response mechanisms during cyber incidents. ASFA will work with its membership and external stakeholders to align progress on this framework to be as close as practicable to APRA’s expectations.
Cybersecurity Education and Awareness
ASFA is developing a cyber-focused education series in partnership with its Learning and Development team, which is expected to be launched in the second half of 2025.
For further information, please contact:
ASFA Media Manager Richard Garfield, 0451 949 300.
About the Association of Superannuation Funds of Australia (ASFA)
ASFA, the voice of super, has been operating since 1962 and is the peak policy, research and advocacy body for Australia’s superannuation industry. ASFA represents the APRA regulated superannuation industry with over 100 organisations as members from corporate, industry, retail and public sector funds, and service providers. We develop policy positions through collaboration with our diverse membership base and use our deep technical expertise and research capabilities to assist in advancing outcomes for Australians.
We unite the superannuation community, supporting our members with research, advocacy, education and collaboration to help Australians enjoy a dignified retirement. We promote effective practice and advocate for efficiency, sustainability and trust in our world-class retirement income system.
