On 10 June 2025, the Australian Prudential Regulation Authority (APRA) issued a letter to the board chairs of all registrable superannuation entity (RSE) licensees reminding them of their obligations under Prudential Standard CPS 234 Information Security (CPS 234).

APRA has issued this reminder given its concerns about persistent weaknesses in RSE licensees’ information security controls, particularly those related to authentication. APRA’s key message is strikingly blunt: APRA sees a gap between the information security controls it expects trustees to have in place and current industry practice, and APRA appears to have lost all patience and is now requiring certain actions to be taken to confirm compliance with the requirements.

APRA is requiring all trustees to undertake specified actions by 31 August 2025 (including performing a self-assessment of their existing information security controls, notifying APRA of weaknesses in their material controls, conducting a breach assessment and advising APRA of the trustee’s relevant accountable persons under the Financial Accountability Regime). In the case of the trustees who were directly affected by the recent credential stuffing incidents earlier this year, APRA is going further, requiring them instead to undertake a special purpose engagement to assess the adequacy and effectiveness of their authentication controls under CPS 234.

In closing, APRA warns that it will pursue supervisory and other regulatory (read “enforcement”) actions as necessary. In particular, APRA views an inadequate control environment as an “unacceptable threat to the security of member funds and data”.

Our new online briefing note explores how superannuation trustees can enhance their scams prevention strategies by leveraging existing efforts to comply with the interconnected regulatory regimes which govern them, to help identify scam risks across their entire operations and to implement effective controls.