In a pointed directive that should not be underestimated, APRA has issued a clear and urgent message: superannuation funds must drastically improve their authentication controls. This follows a series of credential stuffing attacks that saw hundreds of thousands of dollars stolen from unsuspecting Australians.
While the directive primarily targets APRA-regulated entities, the lessons are broadly applicable across all sectors. If your organisation holds sensitive data, you should sit down with your IT or cybersecurity lead today. If you’re not asking the right questions now, the next breach could easily be yours.
Cybersecurity has always been a game of margins: the difference between “secure enough” and “exploited” often hinges on small lapses. APRA’s directive sheds light on inadequate or misconfigured authentication controls that continue to be exploited by adversaries with alarming ease.
This is not merely about compliance; even if it does not concern you, it is about protecting the trust your customers have in you. And that starts by holding your internal teams accountable.
MFA should be non-negotiable for anything involving access to sensitive systems, customer data, or financial transactions. If it's not universally enforced, ask “Why”.
APRA expects these assessments by 31 August. This is a good exercise even if your organisation is outside the APRA compliance scope. Ask for evidence, not just checkboxes, but results and remediation plans.
If you’re not using threat intelligence, behavioural monitoring, password lockout policies or rate limiting to detect these attacks, you are operating blind.
If the answer is yes, it’s possibly time to modernise. SMS is sometimes not an option for people with limited mobile coverage, and is not as secure as app-based authentication. Push-based MFA and even FIDO2/WebAuthn should be part of your roadmap.
The reality is, no control is perfect. You need assurance that if an account is compromised, the blast radius is minimal, monitoring detects it quickly, and the response is immediate.
Cybersecurity isn’t a cost centre; it enables your business to grow. The APRA directive should serve as more than a compliance checkbox; it should be a catalyst for strategic security conversations at the board level. Business leaders should resist the temptation to consider security an "IT problem". It's an organisational imperative. Start asking the hard questions. Push for transparency. Prioritise resilience.
Because no amount of PR will undo the damage if you neglect the security. If you are an APRA regulated entity, be prepared. More changes are coming. APRA plans to review CPS 234 in due course to clarify even more expectations on security controls.
Australian Prudential Regulation Authority. For Action: Information Security Obligations and Critical Authentication Controls. Tuesday, 10 June 2025, https://www.apra.gov.au/for-action-information-security-obligations-and-critical-authentication-controls
Australian Prudential Regulation Authority. (May 26 2023,). Use of multi-factor authentication (MFA). https://www.apra.gov.au/use-of-multi-factor-authentication-mfaapra.gov.au
.png)