Why MFA can’t wait: Meeting APRA’s cyber mandate before the clock runs out

With a hard deadline of 31 August 2025 fast approaching, the message from APRA couldn’t be clearer: for Australia’s superannuation sector, strong authentication is no longer a “nice to have.” It’s a regulatory imperative, and time is running out.

The obligation of superannuation entities to ensure the safety and security of members’ retirement savings and member data is non-negotiable. That’s why APRA has issued an urgent call to action for all APRA- Registrable Super Entities (RSE) licensees to strengthen their cyber resilience ahead of the cut-off.

As someone who works closely with financial services customers on cyber risk posture, compliance strategies, and incident response planning, I can say with confidence: super funds must act quickly or risk falling short of CPS 234. The Australian Prudential Regulation Authority has issued a blunt warning to trustees of RSE licensees: tighten your authentication controls, or prepare to explain why not.

This directive comes on the back of several credential-stuffing attacks that exposed significant weaknesses in how customer identities are secured and cost unsuspecting members hundreds of thousands of dollars.

APRA wants assurance that RSE licensees will not be vulnerable to the credential stuffing attacks we’ve recently seen at Australian superfunds. That means performing a self-assessment of your existing cyber controls, evaluating their strength, and putting robust authentication in place for all high-risk activities. If those controls are inadequate, entities may be obligated to report a breach under CPS 234.

Credential stuffing remains one of the easiest ways for attackers to gain unauthorised access. Attackers use stolen credentials from unrelated breaches to log into accounts. Once inside, they can redirect funds, alter banking details, or harvest sensitive personal information unless strong controls like multi-factor authentication (MFA) or behavioural verification are in place.

Cybersecurity standard behind the crackdown

So what’s required? APRA’s directive stems from Prudential Standard CPS 234 Information Security, a long-standing prudential standard on information security. It mandates that all APRA-regulated entities implement controls commensurate with the threats they face. And in today’s environment, credential theft and impersonation sit firmly at the top of that list.

The current push is focused on MFA. At a minimum, APRA expects MFA (or an equivalent control) to be enforced for actions such as:

• Changing member details
• Withdrawals
• Benefit payment, transfer, or rollover requests
• Investment switching
• All administrative or privileged access

Although MFA is widely adopted in theory, APRA’s concern lies in the gaps: the accounts, systems, and user journeys where it’s absent or inconsistently applied.

While APRA recognises efforts across the industry to improve cyber defences, the evolving threat environment demands faster and more holistic implementation of critical controls, alongside the ability to respond quickly to cyber incidents.

Zero Trust, Real Risk

This is about more than ticking compliance boxes. APRA’s strategy is about laying the groundwork for a zero-trust model where access is never assumed, and identity protections stand between scammers and member funds.

The vision isn’t limited to MFA. It’s about building an environment where no access attempt is automatically trusted, even if the correct username and password are used. Superfunds manage money, and scammers want money. Without best-practice identity controls – MFA, login rate limiting, behavioural analysis – a leaked password can be all it takes to drain an account.

During the cyber-attacks on superannuation funds earlier this year, scammers used stolen credentials to access member accounts, siphoning more than $750,000 before the breach was detected.

This is why “defence in depth” matters. Even if one control fails, others need to be in place to catch it. You have to have layered controls to pick up the deficiencies in other controls. That’s how you build true cyber resilience.

What Superfunds – and their IT partners – must do now

For CIOs, CISOs, and risk leaders, the next two months present a critical window. So, what are the critical next steps?

APRA expects all RSE licensees to undertake a formal self-assessment of their authentication controls, evaluating both their implementation and overall effectiveness. This includes the mandatory use of MFA for high-risk transactions and privileged access. Entities are also required to report any material weaknesses and to notify APRA of any security breaches or control failures that fall short of the CPS 234 standard.

Where authentication controls are found to be inadequate, RSE licensees must take formal action. This includes reporting the weakness to APRA, conducting a CPS 234 breach assessment, and submitting a breach notification if it meets the threshold. Failing to do so could expose the entity to regulatory scrutiny, and increased risk for member funds.

My top tips for readiness include:

• Understand your CPS 234 obligations and set up a compliance regime
• Enforce MFA across all high-risk activities and privileged access
• Monitor and block credential stuffing attempts using behavioural detection
• Educate execs and boards on breach reporting risks
• Partner early to assess authentication gaps before the deadline

If that sounds daunting, you’re not alone. Many RSE licensees are now turning to specialist partners to accelerate the process.

Closing the gaps before the deadline

That’s why Interactive’s cyber arm, Slipstream Cyber, has introduced a lightweight readiness package under our Cyber Flex umbrella. Designed specifically for MFA compliance, the 20-hour engagement offers:

• A focused review of authentication methods across up to four business-critical applications
• Verification that MFA or equivalent controls are in place for high-risk activities, such as changing member details, processing withdrawals or benefit payments, handling transfer or rollover requests, investment switching, and all forms of administrative or privileged access
• A structured report detailing observations, identified weaknesses (if any), accountable parties, and actionable next steps
• Delivery by Slipstream’s specialist Cyber + Cloud team
• We’ll work with you to ensure a timely delivery

There’s a clear appetite for pragmatic support. This is about helping our customers understand their gaps, remediate quickly, and meet APRA’s expectations with confidence.

Role of IT partners in building resilience

Cyber security isn’t a solo mission. While superannuation entities hold ultimate accountability, strategic IT partners play a ‘vital role’ in helping them meet, and exceed, regulatory expectations.

From strengthening identity controls to accelerating compliance efforts, IT partners can support RSE licensees by:

• Implementing and managing MFA across critical systems
• Designing robust identity and access management frameworks, including login rate limiting and real-time detection of suspicious activity
• Guiding clients through CPS 234 compliance, from documenting current controls to validating effectiveness and preparing breach notifications
• Engaging boards and executives in understanding the urgency of APRA’s mandate and the business risks of non-compliance
• Educating internal teams and fund members on cyber threats and the correct use of authentication tools
• Providing specialist assessments (like Cyber Flex) that help surface control gaps and prioritise action

By taking a proactive, partner-led approach, IT providers can help superfunds not only meet the letter of APRA’s law, but also raise the bar on trust, accountability, and long-term resilience.

Beyond compliance: A strategic opportunity

While the clock is ticking on the August deadline, industry leaders are using this moment as a springboard — not just for compliance, but for long-term trust.

Protecting identities is one of the core pillars of stopping scams and fraud. If you get identity right, security becomes a whole lot more manageable.

For many superfunds, this isn’t just a technical check-box exercise; it’s a chance to revisit the fundamentals of how they safeguard member data, deliver digital experiences, and ensure operational resilience.

It’s also a time for leadership. We’re talking about safeguarding people’s retirement futures. That’s a responsibility that deserves investment, not just compliance.

Cyber security is, ultimately, a shared responsibility. As APRA reminds boards in its letter to chairs, superannuation entities are custodians of more than $4 trillion in member funds. The risks are real. The time to act is now.

Now is the time for IT leaders to embed strong, layered controls, and for boards to be confident in the strength of their defences.

Need help with APRA MFA compliance? Slipstream Cyber’s Cyber Flex – MFA Readiness Package is designed for fast, expert guidance tailored to APRA’s latest expectations.