Australian Retirement Trust said members are able to opt in to use MFA, and it had additional security requirements for some transactions. Insignia Financial said it uses MFA for “key activities”, such as registration, withdrawals and changing bank account details. Cbus said it also uses MFA for key activities.
AustralianSuper, which was the only fund to reveal four of its members lost a combined $500,000 during the cyberattack, has MFA in place for members requesting via the website or app to withdraw their funds. A spokesman said it would roll out MFA controls more widely by next month.
On Tuesday, the regulator said it had been working with the Australian Securities and Investments Commission and the National Office of Cyber Security over the hacking attack on the funds.
“In accordance with APRA’s protocols for responding to events of this type, supervision has been heightened across the industry with a focus of information sharing, and the monitoring and containment of issues – with the objective of protecting Australians,” an APRA spokeswoman said.
While APRA does not mandate the entities it regulates to use MFA, boards are ultimately responsible for the information security of their organisations. The Financial Services Council, which represents retail funds, requires its members to use MFA from July 2026.
Arctic Wolf director of security services Mark Thomas said APRA should mandate all financial services organisations, including super funds, to roll out MFA.
Loading
“Purely in credential stuffing, having MFA would help limit hackers’ ability to compromise the users’ credentials,” Thomas said.
“Ultimately, we need to have MFA enforced for everyone whenever someone accesses those portals, such as to update their details, update to transferring of funds outside of the organisation. But [it’s also important] to have a more holistic identity and access management that looks at time of day, behaviour of user, where they’re logging in from – that will all help limit the risk.”
A Department of Home Affairs spokeswoman said that “the National Office of Cyber Security continues to co-ordinate engagement across the Australian government and with industry stakeholders regarding the issues impacting the superannuation sector”.
