A recent update in the Financial Services Council (FSC) Standards in July has brought Superannuation Funds into the spotlight of ongoing security discussions. With the Cyber Security 2030 Agenda, the FSC has released new guidance for its members. In this article, we will explore:

• Why are Superannuation Funds an extremely vulnerable target?
• What recommendations and regulations are relevant for Australian Superannuation Funds with regard to consumer authentication?

Finally, we will provide recommendations on how Superannuation Funds with consumer-facing web portals can protect customers at the highest level.

Superannuation Funds are a crucial part of the financial landscape in Australia, serving as retirement savings accounts for millions of Australians.

Each consumer typically has one Superannuation account, making these funds an attractive target for cybercriminals due to the vast amounts of money and personal information they hold.

• High-Value Targets: The significant sums of money accumulated in these funds over a consumer's working life make them highly lucrative for cybercriminals.

• Sensitive Personal Information: Superannuation accounts contain extensive personal data, including identification details, financial information, and employment history. This information can be exploited for identity theft and fraud.

• Widespread Access: With millions of Australians holding superannuation accounts, the widespread access increases the risk of breaches. Many consumers access their accounts online, creating numerous entry points for cyberattacks.

Total superannuation assets were $3.9 trillion at the end of March 2024 which underlines how important it is to protect consumers in this market.

Several high-profile attacks breaches have highlighted the vulnerabilities within superannuation funds:

• Phishing Attacks: Cybercriminals often use phishing tactics to gain access to accounts. These attacks trick users into providing their login credentials or other sensitive information.

• Weak Authentication Practices: Many superannuation funds have historically relied on simple username and password combinations, which are susceptible to being compromised through brute force attacks or data breaches from other services.

• Insufficient Security Measures: Some funds have not implemented robust security protocols, such as multi-factor authentication (MFA), leaving them more exposed to unauthorized access.

By understanding these vulnerabilities, superannuation funds can take proactive steps to strengthen their security measures and protect their members' assets and information.

In this section we will adress briefly all important and relevant recommendations and regulations that touch on the topic of authenticating consumers.

The Australian Prudential Regulation Authority (APRA) plays an important role in overseeing the financial stability and security of Australia’s financial institutions, including superannuation funds. APRA's prudential standards and guidance are designed to ensure that these institutions adopt robust security measures to protect sensitive financial data and maintain trust in the financial system.

APRA has issued comprehensive guidelines on the use of authentication mechanisms, particularly focusing on enhancing the security of consumer-facing applications. These guidelines are part of a broader set of regulations aimed at strengthening the overall cybersecurity posture of regulated entities. Key regulations and studies by APRA related to authentication include:

This standard mandates that all regulated entities, including superannuation funds, must implement appropriate information security measures to protect the confidentiality, integrity, and availability of information assets. It specifically emphasizes the need for effective access controls, including strong authentication mechanisms.

APRA’s information security management expectations require superannuation funds to continuously monitor and assess their security posture, including the effectiveness of their authentication practices. This includes regular reviews and updates to their authentication methods to address emerging threats.

APRA strongly recommends the adoption of MFA for all critical systems, especially those accessible to customers. This guidance is based on the recognition that single-factor authentication methods, such as passwords, are insufficient to protect against sophisticated cyberattacks. MFA provides an additional layer of security by requiring users to present two or more verification factors to gain access.

While significant investment has been made to improve authentication and security in workforce authentication, consumer authentication on online portals remains poorly protected.

APRA's framework also outlines the responsibilities and accountability of superannuation funds in the event of a security breach. If a superannuation fund fails to implement adequate authentication measures, resulting in unauthorized access or data breaches, the fund could be held liable for any resulting damages.

• Consumer Protection: APRA mandates that superannuation funds must have clear policies and procedures to protect consumers. This includes ensuring that authentication methods are secure and user-friendly, minimizing the risk of unauthorized access to consumer accounts.

• Incident Response and Remediation: In the event of a security breach, superannuation funds are required to have robust incident response plans. These plans should include steps for notifying affected consumers, mitigating the impact of the breach, and taking corrective actions to prevent future incidents.

For consumers accessing their superannuation funds, APRA's guidelines stress the importance of secure and reliable authentication methods. Superannuation funds are encouraged to implement the following measures to enhance consumer authentication:

• Multi-Factor Authentication (MFA): Funds should adopt MFA to add an extra layer of security beyond just a username and password. MFA could include something the user knows (password), something the user has (security token or mobile device), and something the user is (biometric verification).

• Phishing-Resistant Methods: To combat phishing attacks, APRA advises to think about preventing phishing attacks. The use of phishing-resistant MFA methods can provide stronger protection against credential theft.

• Regular Security Updates: Authentication systems should be regularly updated to address new vulnerabilities and improve security. This includes updating software, applying patches, and reviewing authentication policies periodically.

By adhering to APRA’s guidelines and implementing strong, consumer-focused authentication measures, superannuation funds can significantly enhance their security posture, protect consumers’ sensitive information, and maintain trust in the financial system.

The Essential Eight Framework, developed by the Australian Cyber Security Centre (ACSC), is a set of mitigation strategies designed to help organizations enhance their cybersecurity posture. This framework has been widely recognized and adopted across various sectors in Australia due to its comprehensive approach to mitigating cyber threats.

The latest update to the Essential Eight Framework in November 2023 has introduced several critical enhancements, emphasizing the need for robust cybersecurity measures in response to the evolving threat landscape – especially on consumer side. This update is particularly relevant for superannuation funds given their critical role in managing retirement savings for millions of Australians.

Superannuation funds, due to their significant importance and the sensitive nature of the data they hold, must align with the recommendations and requirements of Maturity Level 3 within the Essential Eight Framework. This level mandates more stringent security controls, recognizing that superannuation funds are high-value targets for cybercriminals.

Key requirements at Maturity Level 3 include:

• Phishing-Resistant Authentication: One of the core components of Maturity Level 3 is the implementation of phishing-resistant authentication methods on consumer side. This is crucial for protecting against sophisticated phishing attacks that aim to steal user credentials. Superannuation funds must deploy advanced authentication mechanisms, such as passkeys, which offer a higher level of security compared to traditional methods.

• Multi-Factor Authentication (MFA): The framework explicitly requires the adoption of MFA for all systems and applications, particularly those accessible by customers. MFA adds an essential layer of security by requiring multiple forms of verification, significantly reducing the risk of unauthorized access.

By aligning with the Essential Eight Framework's Maturity Level 3 requirements, superannuation funds can significantly enhance their security posture, protecting the sensitive financial data of millions of Australians. The November 2023 update underscores the urgency and necessity of adopting these advanced security measures, making MFA and phishing-resistant authentication indispensable for consumer accounts.

In July 2024, the Financial Services Council (FSC) introduced Standard No. 29, focusing on enhancing cybersecurity measures for superannuation funds.

The updated FSC Standard No. 29 includes several critical provisions aimed at bolstering the cybersecurity defenses of superannuation funds. Here are the key aspects:

• Mandatory Multi-Factor Authentication (MFA): One of the central components of the updated standard is the requirement for all superannuation funds to implement MFA for accessing critical systems and consumer-facing web portals. This measure is designed to provide an additional layer of security, reducing the risk of unauthorized access through compromised credentials.

• Phased Implementation Timeline: Recognizing the complexities involved in implementing robust cybersecurity measures, FSC Standard No. 29 sets a phased timeline for compliance. Superannuation funds are required to have MFA fully implemented by 2026. This phased approach allows funds to gradually enhance their security infrastructure while managing the operational and financial implications of these upgrades.

• Alignment with Regulatory Expectations: The updated standard emphasizes the importance of aligning with the expectations set forth by regulatory bodies such as the Australian Prudential Regulation Authority (APRA). This includes adhering to guidelines on information security management and ensuring that authentication practices meet the rigorous standards required by APRA.

• Consumer Protection Focus: FSC Standard No. 29 places a strong emphasis on protecting consumers. It mandates that superannuation funds must not only implement MFA but also ensure that these authentication mechanisms are user-friendly and accessible. This focus aims to enhance consumer confidence in the security of their retirement savings.

• Regular Security Reviews: The standard requires superannuation funds to conduct regular security reviews and updates to their authentication systems. This ongoing assessment is crucial for maintaining a robust security posture in the face of evolving cyber threats.

Although the standard strongly recommends implementing MFA, it allows, in very rare circumstances (customers without a smartphone), exceptions to the requirement.

The introduction of FSC Standard No. 29 represents a significant step forward in strengthening the cybersecurity framework of superannuation funds. By prioritizing the implementation of phishing-resistant MFA and other advanced security measures, superannuation funds can better protect their members' sensitive information and financial assets. The phased timeline provides a structured approach to achieving compliance, but the urgency of the current threat landscape necessitates proactive measures well before the 2026 deadline.

In conclusion, FSC Standard No. 29 underscores the critical importance of robust authentication mechanisms in safeguarding superannuation funds. By aligning with both regulatory guidelines and industry best practices, these funds can ensure the highest level of protection for their customers, thereby maintaining trust and confidence in their services

The integration of multi-factor authentication (MFA) within superannuation funds is essential for enhancing security and protecting sensitive consumer information. Three key bodies:

• the Australian Prudential Regulation Authority (APRA)
• the Essential Eight Framework, and
• the Financial Services Council (FSC) Standard No. 29

have provided comprehensive guidelines and requirements to ensure robust cybersecurity practices.

This table summarize the recommendations and requirements highlighting the importance of MFA and phishing-resistant authentication:

The collective guidance clearly establishes the critical need for MFA within superannuation funds. The consistent emphasis on MFA with alerting to phishing clearly points into the direction of passkeys. In our Essential Eight article we have laid our clear recommendations how this can be achieved.

Besides the implementation of MFA, it's recommended that Super Funds should go passwordless. By following a long-term passwordless strategy, they can phase out passwords in multiple steps which removes a major attack vector in their security landscape.

We recommend to follow a 4-phase passwordless strategy:

1. In the first phase, the Super Funds introduce passkeys as the next-gen, secure authentication method.
2. In the second phase, the adoption of passkeys is pushed so that passkeys will eventually become the default login method for most users.
3. In the third phase, once a critical adoption of passkeys is reached, Super Funds should proactively offer users to remove passwords entirely from their accounts.
4. In the fourth phase, the account recovery should be also improved in terms of better and non-phishable identity verification

In early April 2025, a significant cyberattack targeted multiple Australian superannuation funds, exposing critical vulnerabilities in their existing authentication mechanisms and resulting in substantial financial losses for affected customers. The cybercriminals employed a method known as credential stuffing, using previously stolen passwords and personal data to gain unauthorized access to members' accounts.

Superannuation funds impacted by this breach include some of Australia's largest:

• AustralianSuper
• Rest Super
• Insignia Financial
• Australian Retirement Trust
• HostPlus

These funds have collectively reported suspicious activity and breaches involving the unauthorized use of member credentials. AustralianSuper has explicitly confirmed that $500,000 was stolen from four of its members' accounts, highlighting a significant security gap despite existing cyber defenses.

Rest Super indicated that about 8,000 of its members experienced limited personal data exposure, including names and email addresses, with fewer than 20 members potentially suffering more severe data breaches, involving full names, addresses, account beneficiaries, and balances.

The method used - credential stuffing - is particularly insidious as it relies on attackers leveraging previously compromised passwords obtained from earlier breaches, such as the infamous Optus, Medibank and Latitude Financial hacks. These data leaks provided cybercriminals with detailed personal information like email addresses, passwords, and dates of birth, especially targeting older Australians who were likely to have substantial funds in their accounts.

Super fund members reported alarming incidents, such as balances temporarily showing as "$0" due to overloaded systems responding to suspicious activity, sparking panic among users. AustralianSuper and other affected funds responded by locking impacted accounts and advising all members to urgently verify their contact and banking details. They also recommended updating passwords and enabling multi-factor authentication (MFA) immediately to protect against further unauthorized access attempts.

The login area of AustralianSuper was not reachable for hours:

Despite existing recommendations and standards like the FSC Standard No. 29 and APRA Prudential Standard CPS 234 mandating stronger security measures including MFA, many funds still lacked robust phishing-resistant MFA solutions such as passkeys, highlighting the need for immediate action to secure consumer-facing platforms.

Some super funds, like AustralianSuper, display a 6-digit SMS verification step when users attempt to change their password. While this may look like additional security, it’s important to understand that this is not multi-factor authentication in practice - it’s step-up authentication limited to a specific flow (e.g. password reset), not to login.

In reality, these platforms still allow users (+ attackers) to log in with just a single factor: a username and password. As long as someone knows these credentials - either through phishing, credential stuffing or data breaches - they can log in without being challenged by any second factor.

Even worse, the fallback mechanism - SMS - is widely considered insecure:

• SMS can be intercepted via SIM swapping or SS7 attacks.
• Mobile numbers are often tied to identity but are not proof of identity.
• Phone numbers can be spoofed or reassigned, making them a weak trust anchor.

According to both the Australian Prudential Regulation Authority (APRA) and the Essential Eight Framework, true MFA must protect every login and ideally use phishing-resistant mechanisms like passkeys. FSC Standard No. 29 reinforces this by requiring MFA for all customer-facing portals by 2026 - but super funds should act now.

Implementing a second factor only when a user changes their password does not meet the MFA definition outlined in any of these frameworks. It leaves accounts dangerously exposed and provides a false sense of security to users.

The breach emphasizes the critical importance of adopting stronger, phishing-resistant authentication methods, specifically passkeys. Unlike traditional passwords or even standard MFA methods, passkeys provide significantly stronger protection against credential stuffing attacks, as they do not rely on shared secrets that can be easily stolen or reused.

Given the scale and severity of this breach, affected super funds - and indeed the entire superannuation industry - must urgently prioritize the transition to passkey-based MFA solutions. This step will enhance the security of customer accounts, safeguard retirement savings, and restore public trust in the financial system.

To prevent such incidents in the future, super funds must:

• Immediately enable passkey-based MFA for customer-facing applications.
• Ensure robust incident response plans, including proactive customer notifications.
• Conduct thorough data exposure assessments to identify and secure compromised credentials.
• Educate customers on cybersecurity best practices, emphasizing unique passwords and promoting the use of phishing-resistant MFA methods like passkeys.

By implementing these measures, super funds can mitigate risks and protect against future cyber threats.

In summary, the heightened focus on cybersecurity within superannuation funds, as highlighted by recent updates from APRA, the Essential Eight Framework, and FSC Standard No. 29, underscores the critical need for robust multi-factor authentication (MFA) mechanisms. This article addressed two main questions:

• Why are Superannuation Funds an extremely vulnerable target? Superannuation funds hold vast amounts of money and sensitive personal information, making them highly attractive to cybercriminals. The widespread access and online interactions further increase the risk of breaches.

• What recommendations and regulations are relevant for Australian Superannuation Funds?

  APRA, the Essential Eight Framework, and FSC Standard No. 29 all mandate or strongly recommend the implementation of MFA to protect against unauthorized access and cyber threats.

By prioritizing the adoption of phishing-resistant MFA, such as passkeys, superannuation funds can significantly enhance their security posture. This approach aligns with the stringent requirements and recommendations from key regulatory bodies, ensuring the highest level of protection for consumers' retirement savings and personal information. Adopting these measures now, rather than waiting for the 2026 deadline, is imperative to safeguard against the evolving threat landscape.