APRA takes aim at the Superannuation industry. Noted “persistent weaknesses in RSE licensees’ information security controls”.

Following a substantial cyber-attack impacting several large Superannuation entities earlier this year, APRA has noted the industry has fallen short of expected standards in cyber security (CPS 234).

In its just released “For Action” letter to all RSE Licensees, APRA reinforces that multi-factor authentication for high-risk activities and privileged access management is not optional in meeting CPS 234 obligations.

By 31st August, 2025 APRA is requiring that each RSE licensee perform a self-assessment of existing information security controls and submit to APRA a material control weakness notification (under CPS 234) and any breach notification. Any remediation will need to be planned including regular APRA engagement.

At Capital Consult, we have supported numerous APRA-regulated entities to:

• Plan and navigate APRA engagements and requests with confidence

• Document control weakness and breach notifications

• Plan and manage remediation activity

• Evidence regulatory compliance using a range of artefacts

This is not just about cybersecurity, it’s also about regulatory credibility.

Boards and senior management must be able to stand behind their information security controls with confidence and clarity as to their effectiveness. They should also ensure their entity is able to effectively demonstrate this as they engage with APRA.

Contact us if you need help in meeting APRA’s expectations.