APRA demands stronger cyber defences from super funds

Protecting customer assets is a fundamental security pillar for any financial or superannuation organisation. In practice, this means having robust cyber security measures in place to reduce the risk of cyber security incidents.

That’s why Australian Prudential Regulation Authority (APRA) has issued a clear and urgent directive to the superannuation industry: improve your cyber security posture or risk regulatory consequences.

With APRA’s deadline for compliance approaching at the end of August, now is the time for super funds and their partners like us at Interactive, to act.

1. What are APRA’s requirements?

In simple terms, APRA wants to ensure every super fund is protected against the same kinds of breaches that have recently led to customer losses. This is in response to recent credential stuffing attacks across several Australian super funds – where a hacker breaks past security barriers using a username and password revealed by previous data breaches.

Overall, APRA is asking RSE licensees – any organisation holding an APRA licence to operate a superannuation fund – to do the following:

• Conduct a self-assessment of current cyber controls, reviewing both how they’re implemented and how effective they are.
• Evaluate whether these controls are robust enough to defend against modern threats.
• Implement multi-factor authentication (MFA) or equivalent controls for all high-risk activities.

If any deficiencies are found:

• Report the control weakness to APRA.
• Conduct a breach assessment under CPS 234.
• Submit a breach notification, if required.

2. Why is APRA targeting super funds?

Super funds hold billions in member assets, and scammers follow the money. In 2025, we have seen incidents at various super funds, including theone breach leading to $750,000 being stolen from customers’ members’ accounts. At the same time, credential stuffing is a low-effort, high-reward method for attackers to gain access to customer accounts.

APRA’s broader aim is to enforce a zero-trust environment—where even if a bad actor gains access to an account, further identity verification (such as MFA) is required for high-risk actions like transferring money or changing bank details. It’s about building defence in depth: layers of protection that can catch threats if one control fails.

3. How can Interactive help you stay compliant?

The responsibility doesn’t sit with super funds alone. Interactive works with leading financial services organisations to build secure, compliant infrastructure. For organisations responding to APRA’s directive, we recommend:

• Understand and align to CPS 234: Build a compliance regime that meets APRA’s baseline expectations.
• Enforce multi-factor authentication: Especially for high-risk transactions.
• Monitor and defend against credential stuffing: Automatically detect and block suspicious login behaviour.
• Engage your executive and board: Ensure cyber risk and compliance with APRA’s guidance is being addressed at the highest level.
• Design for defence in depth: Implement layered controls so that no single point of failure can lead to compromise.

Get in touch

APRA’s expectations are not optional, they represent the minimum acceptable standard. With 35 years of experience, Interactive stands as a leader in business continuity solutions. From rapid recovery to resilient, premium facilities, we ensure minimal downtime and maximum compliance.