NGS Super rapped by APRA over cyber deficiencies

ngs super cybersecurity APRA cyber threats

11 December 2023
| By Laura Dew |
expand image

APRA has imposed additional licence restrictions on NGS Super, which suffered a cyber attack earlier this year.

Significant deficiencies have been identified in the fund’s cyber controls, APRA said, which has 114,000 members and $14 billion in assets under management.

The fund suffered a cyber attack in March wherein a cyber attacker gained access to some of its systems for a short period of time. The super fund assured members the incident had not impacted their super savings or the funds’ assets, which remained secure on a separate platform. 

The restrictions, which will apply from 11 December, follow an internal report by NGS and an independent tripartite review undertaken at APRA’s request.

The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security, while the cyber incident involved a significant amount of data being lost and NGS’ systems being compromised for a period. 

APRA acknowledged that NGS has taken steps since the attack to address the review’s recommendations – the additional licence conditions will require NGS to engage with an independent third party to provide assurance regarding NGS’ remediation activities and to address the recommendations contained in the internal audit and tripartite review reports and conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.  

NGS is required to provide APRA with an attestation from its chair that the actions are complete and effective and are compliant with CPS 234.

A statement from NGS Super said: "NGS Super is working with APRA to meet the additional requirements they have requested of the fund, primarily in relation to compliance with CPS 234. We’ve reviewed our processes and acted to further strengthen the protection of our members’ data and retirement savings. We’ve had multifactor authentication for a very long time and have now implemented enhanced cyber controls across the fund and we’ll continue to do so to minimize risk and maximize protection of our information security. 

"We remain confident of the actions we’ve taken and continue to do following a thorough review of our cyber security. We’re also committed to working with APRA and an independent party to identify and implement additional actions. Ultimately, this will lead to further assurance and protection for our members.

"We use administrative, physical, and technical safeguards to protect the confidentiality and integrity of personal information and data and are committed to protecting our members' personal information."

In May, APRA wrote to its regulated entities to reinforce the importance of multifactor authentication to protect sensitive data from cyber attacks.

In an open letter, Alison Bliss, general manager for operational resilience, cross-industry division, told APRA-regulated entities that it was a “material security control weakness” if firms failed to comply.

“Multifactor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.”


Read more about:


Add new comment

The content of this field is kept private and will not be shown publicly.

Recommended for you

sub-bgsidebar subscription

Never miss the latest news and developments in wealth management industry




4 days 12 hours ago
Chris Cornish

What a sticth-up. Looks like Labor Senator Jess Walsh follows Stephen Jones who follows what the industry super funds ...

4 days 9 hours ago
Peter Swan

This report is a blatant display of far-left factional partisanship, treating superannuation funds as state property and...

4 days 10 hours ago

ASIC has cancelled the AFS licence of a Sydney wealth firm, the fifth Sydney firm to see a cancellation since the start of the year....

2 weeks 5 days ago

More than 20 winners from the funds management industry have been crowned at this year’s awards....

1 week 5 days ago

ASIC has obtained interim orders from the Federal Court to freeze the assets of a registered managed fund and prevent its former director from leaving Australia. ...

6 days 9 hours ago