A recent update in the Financial Services Council (FSC) Standards in July has brought Superannuation Funds into the spotlight of ongoing security discussions. With the Cyber Security 2030 Agenda, the FSC has released new guidance for its members. In this article, we will explore:

• Why are Superannuation Funds an extremely vulnerable target?

• What recommendations and regulations are relevant for Australian Superannuation Funds with regard to consumer authentication?

Finally, we will provide recommendations on how Superannuation Funds with consumer-facing web portals can protect customers at the highest level.

Superannuation Funds are a crucial part of the financial landscape in Australia, serving as retirement savings accounts for millions of Australians.

Each consumer typically has one Superannuation account, making these funds an attractive target for cybercriminals due to the vast amounts of money and personal information they hold.

• High-Value Targets: The significant sums of money accumulated in these funds over a consumer's working life make them highly lucrative for cybercriminals.

• Sensitive Personal Information: Superannuation accounts contain extensive personal data, including identification details, financial information, and employment history. This information can be exploited for identity theft and fraud.

• Widespread Access: With millions of Australians holding superannuation accounts, the widespread access increases the risk of breaches. Many consumers access their accounts online, creating numerous entry points for cyberattacks.

Total superannuation assets were $3.9 trillion at the end of March 2024 which underlines how important it is to protect consumers in this market.

Several high-profile attacks breaches have highlighted the vulnerabilities within superannuation funds:

• Phishing Attacks: Cybercriminals often use phishing tactics to gain access to accounts. These attacks trick users into providing their login credentials or other sensitive information.

• Weak Authentication Practices: Many superannuation funds have historically relied on simple username and password combinations, which are susceptible to being compromised through brute force attacks or data breaches from other services.

• Insufficient Security Measures: Some funds have not implemented robust security protocols, such as multi-factor authentication (MFA), leaving them more exposed to unauthorized access.

By understanding these vulnerabilities, superannuation funds can take proactive steps to strengthen their security measures and protect their members' assets and information.

In this section we will adress briefly all important and relevant recommendations and regulations that touch on the topic of authenticating consumers.

The Australian Prudential Regulation Authority (APRA) plays an important role in overseeing the financial stability and security of Australia’s financial institutions, including superannuation funds. APRA's prudential standards and guidance are designed to ensure that these institutions adopt robust security measures to protect sensitive financial data and maintain trust in the financial system.

APRA has issued comprehensive guidelines on the use of authentication mechanisms, particularly focusing on enhancing the security of consumer-facing applications. These guidelines are part of a broader set of regulations aimed at strengthening the overall cybersecurity posture of regulated entities. Key regulations and studies by APRA related to authentication include:

• Prudential Standard CPS 234: This standard mandates that all regulated entities, including superannuation funds, must implement appropriate information security measures to protect the confidentiality, integrity, and availability of information assets. It specifically emphasizes the need for effective access controls, including strong authentication mechanisms.

• Information Security Management: APRA’s information security management expectations require superannuation funds to continuously monitor and assess their security posture, including the effectiveness of their authentication practices. This includes regular reviews and updates to their authentication methods to address emerging threats.

• Guidance on Multi-Factor Authentication (MFA): APRA strongly recommends the adoption of MFA for all critical systems, especially those accessible to customers. This guidance is based on the recognition that single-factor authentication methods, such as passwords, are insufficient to protect against sophisticated cyberattacks. MFA provides an additional layer of security by requiring users to present two or more verification factors to gain access.

While significant investment has been made to improve authentication and security in workforce authentication, consumer authentication on online portals remains poorly protected.

APRA's framework also outlines the responsibilities and accountability of superannuation funds in the event of a security breach. If a superannuation fund fails to implement adequate authentication measures, resulting in unauthorized access or data breaches, the fund could be held liable for any resulting damages.

• Consumer Protection: APRA mandates that superannuation funds must have clear policies and procedures to protect consumers. This includes ensuring that authentication methods are secure and user-friendly, minimizing the risk of unauthorized access to consumer accounts.

• Incident Response and Remediation: In the event of a security breach, superannuation funds are required to have robust incident response plans. These plans should include steps for notifying affected consumers, mitigating the impact of the breach, and taking corrective actions to prevent future incidents.

For consumers accessing their superannuation funds, APRA's guidelines stress the importance of secure and reliable authentication methods. Superannuation funds are encouraged to implement the following measures to enhance consumer authentication:

• Multi-Factor Authentication (MFA): Funds should adopt MFA to add an extra layer of security beyond just a username and password. MFA could include something the user knows (password), something the user has (security token or mobile device), and something the user is (biometric verification).

• Phishing-Resistant Methods: To combat phishing attacks, APRA advises to think about preventing phishing attacks. The use of phishing-resistant MFA methods can provide stronger protection against credential theft.

• Regular Security Updates: Authentication systems should be regularly updated to address new vulnerabilities and improve security. This includes updating software, applying patches, and reviewing authentication policies periodically.

By adhering to APRA’s guidelines and implementing strong, consumer-focused authentication measures, superannuation funds can significantly enhance their security posture, protect consumers’ sensitive information, and maintain trust in the financial system.

The Essential Eight Framework, developed by the Australian Cyber Security Centre (ACSC), is a set of mitigation strategies designed to help organizations enhance their cybersecurity posture. This framework has been widely recognized and adopted across various sectors in Australia due to its comprehensive approach to mitigating cyber threats.

The latest update to the Essential Eight Framework in November 2023 has introduced several critical enhancements, emphasizing the need for robust cybersecurity measures in response to the evolving threat landscape – especially on consumer side. This update is particularly relevant for superannuation funds given their critical role in managing retirement savings for millions of Australians.

Superannuation funds, due to their significant importance and the sensitive nature of the data they hold, must align with the recommendations and requirements of Maturity Level 3 within the Essential Eight Framework. This level mandates more stringent security controls, recognizing that superannuation funds are high-value targets for cybercriminals.

Key requirements at Maturity Level 3 include:

• Phishing-Resistant Authentication: One of the core components of Maturity Level 3 is the implementation of phishing-resistant authentication methods on consumer side. This is crucial for protecting against sophisticated phishing attacks that aim to steal user credentials. Superannuation funds must deploy advanced authentication mechanisms, such as passkeys, which offer a higher level of security compared to traditional methods.

• Multi-Factor Authentication (MFA): The framework explicitly requires the adoption of MFA for all systems and applications, particularly those accessible by customers. MFA adds an essential layer of security by requiring multiple forms of verification, significantly reducing the risk of unauthorized access.

By aligning with the Essential Eight Framework's Maturity Level 3 requirements, superannuation funds can significantly enhance their security posture, protecting the sensitive financial data of millions of Australians. The November 2023 update underscores the urgency and necessity of adopting these advanced security measures, making MFA and phishing-resistant authentication indispensable for consumer accounts.

In July 2024, the Financial Services Council (FSC) introduced Standard No. 29, focusing on enhancing cybersecurity measures for superannuation funds.

The updated FSC Standard No. 29 includes several critical provisions aimed at bolstering the cybersecurity defenses of superannuation funds. Here are the key aspects:

• Mandatory Multi-Factor Authentication (MFA): One of the central components of the updated standard is the requirement for all superannuation funds to implement MFA for accessing critical systems and consumer-facing web portals. This measure is designed to provide an additional layer of security, reducing the risk of unauthorized access through compromised credentials.

• Phased Implementation Timeline: Recognizing the complexities involved in implementing robust cybersecurity measures, FSC Standard No. 29 sets a phased timeline for compliance. Superannuation funds are required to have MFA fully implemented by 2026. This phased approach allows funds to gradually enhance their security infrastructure while managing the operational and financial implications of these upgrades.

• Alignment with Regulatory Expectations: The updated standard emphasizes the importance of aligning with the expectations set forth by regulatory bodies such as the Australian Prudential Regulation Authority (APRA). This includes adhering to guidelines on information security management and ensuring that authentication practices meet the rigorous standards required by APRA.

• Consumer Protection Focus: FSC Standard No. 29 places a strong emphasis on protecting consumers. It mandates that superannuation funds must not only implement MFA but also ensure that these authentication mechanisms are user-friendly and accessible. This focus aims to enhance consumer confidence in the security of their retirement savings.

• Regular Security Reviews: The standard requires superannuation funds to conduct regular security reviews and updates to their authentication systems. This ongoing assessment is crucial for maintaining a robust security posture in the face of evolving cyber threats.

Although the standard strongly recommends implementing MFA, it allows, in very rare circumstances (customers without a smartphone), exceptions to the requirement.

The introduction of FSC Standard No. 29 represents a significant step forward in strengthening the cybersecurity framework of superannuation funds. By prioritizing the implementation of phishing-resistant MFA and other advanced security measures, superannuation funds can better protect their members' sensitive information and financial assets. The phased timeline provides a structured approach to achieving compliance, but the urgency of the current threat landscape necessitates proactive measures well before the 2026 deadline.

In conclusion, FSC Standard No. 29 underscores the critical importance of robust authentication mechanisms in safeguarding superannuation funds. By aligning with both regulatory guidelines and industry best practices, these funds can ensure the highest level of protection for their customers, thereby maintaining trust and confidence in their services

The integration of multi-factor authentication (MFA) within superannuation funds is essential for enhancing security and protecting sensitive consumer information. Three key bodies:

• the Australian Prudential Regulation Authority (APRA)

  • the Essential Eight Framework, and

  • the Financial Services Council (FSC) Standard No. 29

have provided comprehensive guidelines and requirements to ensure robust cybersecurity practices.

This table summarize the recommendations and requirements highlighting the importance of MFA and phishing-resistant authentication:

The collective guidance clearly establishes the critical need for MFA within superannuation funds. The consistent emphasis on MFA with alerting to phishing clearly points into the direction of passkeys. In our Essential Eight article we have laid our clear recommendations how this can be achieved.

In summary, the heightened focus on cybersecurity within superannuation funds, as highlighted by recent updates from APRA, the Essential Eight Framework, and FSC Standard No. 29, underscores the critical need for robust multi-factor authentication (MFA) mechanisms. This article addressed two main questions:

• Why are Superannuation Funds an extremely vulnerable target? Superannuation funds hold vast amounts of money and sensitive personal information, making them highly attractive to cybercriminals. The widespread access and online interactions further increase the risk of breaches.

• What recommendations and regulations are relevant for Australian Superannuation Funds?

  APRA, the Essential Eight Framework, and FSC Standard No. 29 all mandate or strongly recommend the implementation of MFA to protect against unauthorized access and cyber threats.

By prioritizing the adoption of phishing-resistant MFA, such as passkeys, superannuation funds can significantly enhance their security posture. This approach aligns with the stringent requirements and recommendations from key regulatory bodies, ensuring the highest level of protection for consumers' retirement savings and personal information. Adopting these measures now, rather than waiting for the 2026 deadline, is imperative to safeguard against the evolving threat landscape.