The Australian Prudential Regulation Authority (APRA) has written to all RSE (Registrable Superannuation Entity) licensee board chairs, reinforcing expectations around information security and the implementation of robust authentication controls.

This action follows recent credential stuffing attacks that exposed persistent weaknesses in authentication practices across the superannuation industry. APRA has reminded entities of their obligations under Prudential Standard CPS 234 Information Security and outlined specific actions to assess and strengthen authentication controls.

APRA expects all RSE licensees to complete a self-assessment of their information security controls, ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access, and notify APRA of any material control weaknesses or breaches. Entities must also identify their Accountable Person(s) under the Financial Accountability Regime (FAR) responsible for CPS 234 compliance. 

The letter is available on the APRA website at: For action: Information Security Obligations and Critical Authentication Controls.