On 11 August 2025, the Australian Prudential Regulation Authority (APRA) published its notes on a superannuation roundtable that focussed on recent cyber incidents impacting several superannuation entities.

In the note APRA reminded participants of its recent communications regarding authentication controls and its observations regarding incident response across the superannuation industry and the need to improve awareness of incident impact on public perception and member trust as well as improved co-ordination for timely responses.

Lieutenant General Michelle McGuinness of the National Office of Cyber Security (NOCS) provided an overview of the evolving cyber threat landscape in Australia and the series of industry sector playbooks that have been issued to support organisations during cyber incidents.

The note also provides an overview of learnings and reflections from various entities’ experiences during cyber incidents:

  • Member communications: Low overall engagement from members made it more difficult to communicate effectively during the incident. To avoid mixed messaging, it is essential that the communications approach is clearly understood by all stakeholders. There is an opportunity to enhance the crisis communication plan by clearly defining roles and responsibilities. When complete data is not available, there needs to be a balance between providing general updates and sharing specifics. Members need information that helps them stay alert to potential risks. Additionally, outbound calls proved challenging due to growing community distrust in answering calls from unknown numbers.
  • Media management: Entities reflected on the complexities of managing media communications, highlighting the need for proactive engagement and consistent messaging to maintain trust. It was recognised early that the incident would attract significant media attention. While member communication was prioritised, care was taken not to cause panic or undue concern. Monitoring social media emerged as the fastest way to identify emerging media issues. Media messaging should be clear and direct, especially regarding how and where members can contact their fund. Understanding the most impacted member groups was also identified as a key priority.
  • Incident response experience: Entities shared their experiences in managing the incident, noting both successes and challenges. Member account safety was prioritised, and proactive communication with affected members led to a generally positive sentiment. In the early stages, chief information security officer networks were heavily relied upon for information sharing, suggesting a potential opportunity to establish more formal and proactive arrangements across funds to improve responsiveness. Communicating with a large number of members quickly, without overwhelming call centres, was a significant challenge. However, the industry gained valuable insights, particularly in communications, that could be applied in future incidents.
  • Reliance on third party providers/administrators: The incident highlighted the benefits of a collective approach across the supply chain, including administrators and banks involved in the payment chain. Strong partner relationships laid the foundation for a collaborative and rapid response across areas such as Risk Advisory, Security Operations, Incident Response, Digital Forensics, Contact Centre, and Administration Services. Third-party commitment was evident, with many going above and beyond to achieve the best outcomes for members. The combined expertise across the super ecosystem brought significant skills and knowledge to the table. The Service Provider Alert service added an extra layer of protection to existing cybersecurity controls. Regular and transparent information sharing ensured alignment on priorities, and shared digital workspaces enabled seamless, real-time interaction between partners.

The final part of the note touches on an update from the Australian Signals Directorate which provided an update of trends in the broader Australian financial sector which continues to be a target for state-based sponsor activities, not just profitable gains. Attacks now target both lower and higher income countries.