APRA has reminded its regulated entities, including superannuation licensees, of their binding obligations under Prudential Standard CPS 234 Information Security (CPS 234). Paragraph 21 of CPS 234 mandates that entities implement information security controls commensurate with the vulnerabilities, threats, criticality, and sensitivity of their information assets.

APRA says it has observed weaknesses, especially in authentication controls which allowed recent credential stuffing incidents, which indicate a gap between APRA’s expectations as outlined in the standard and associated guidance CPG 234.

APRA says the obligation of superannuation entities to ensure the safety and security of members’ retirement savings and member data is non-negotiable.

It requires that each RSE licensee take 3 steps relating to information security controls before 31 August 2025.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.