APRA’s chair John Lonsdale has given superannuation funds, banks and insurers another prod to improve “foundational issues” on cybersecurity.
Since Optus and Medibank suffered devastating cyber-attacks last year, super funds have tightened security controls and surveillance systems to protect members’ data against breaches.
At the beginning of 2023, APRA listed cyber resilience as a key area of supervision. Several funds told Investment Magazine at that time to have introduced security measures such as extra verification checks and regular penetration tests of its network perimeter.
However, in a speech at a FINSIA regulation summit on Thursday, Lonsdale said their efforts so far were not good enough.
He said many financial services institutions are still struggling with covering “foundational issues”, including “ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans”.
When the situation calls for it, he said APRA will be taking more drastic steps of intervention.
“Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions.”
Lonsdale said the experience of strengthening cybersecurity has proven to need a multi-agency approach, but APRA will continue on preventative measures to ensure the financial service sector has processes and systems in place to “repel” crises. Other government entities present at the event include the Reserve Bank of Australia, ASIC and AUSTRAC.
Specifically in superannuation, Lonsdale reiterated that liquidity risks are still on top of the regulatory agenda. The regulator is expecting to continue its controversial work on the valuation of unlisted and illiquid asset classes, as well as around transparency and product underperformance.
It came after APRA released the SPG 530 Prudential Practice Guide earlier this year, which will require unlisted asset valuations to occur at least quarterly.
There’s also the much-discussed issue of the retirement income covenant. APRA has expressed disappointment on multiple occasions about the lack of real action from trustees to meet the legislation’s requirements and improve retirement outcomes for members, since a scathing review in July. APRA is set to survey the improvements made by trustees again in the coming months.
“Historically the superannuation sector has succeeded in helping Australians accumulate income for retirement but fared much poorer at offering options to manage that money through retirement,” Lonsdale said.