NGS Super rapped by APRA over cyber deficiencies

ngs super cybersecurity APRA

11 December 2023
| By Laura Dew |
image
image image
expand image

APRA has imposed additional licence restrictions on NGS Super, which suffered a cyber attack earlier this year.

Significant deficiencies have been identified in the fund’s cyber controls, APRA said, which has 114,000 members and $14 billion in assets under management.

The fund suffered a cyber attack in March wherein a cyber attacker gained access to some of its systems for a short period of time. The super fund assured members the incident had not impacted their super savings or the funds’ assets, which remained secure on a separate platform. 

The restrictions, which will apply from 11 December, follow an internal report by NGS and an independent tripartite review undertaken at APRA’s request.

The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security, while the cyber incident involved a significant amount of data being lost and NGS’ systems being compromised for a period. 

APRA acknowledged that NGS has taken steps since the attack to address the review’s recommendations – the additional licence conditions will require NGS to engage with an independent third party to provide assurance regarding NGS’ remediation activities and to address the recommendations contained in the internal audit and tripartite review reports and conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.  

NGS is required to provide APRA with an attestation from its chair that the actions are complete and effective and are compliant with CPS 234.

A statement from NGS Super said: "NGS Super is working with APRA to meet the additional requirements they have requested of the fund, primarily in relation to compliance with CPS 234. We’ve reviewed our processes and acted to further strengthen the protection of our members’ data and retirement savings. We’ve had multifactor authentication for a very long time and have now implemented enhanced cyber controls across the fund and we’ll continue to do so to minimize risk and maximize protection of our information security. 

"We remain confident of the actions we’ve taken and continue to do following a thorough review of our cyber security. We’re also committed to working with APRA and an independent party to identify and implement additional actions. Ultimately, this will lead to further assurance and protection for our members.

"We use administrative, physical, and technical safeguards to protect the confidentiality and integrity of personal information and data and are committed to protecting our members' personal information."

In May, APRA wrote to its regulated entities to reinforce the importance of multifactor authentication to protect sensitive data from cyber attacks.

In an open letter, Alison Bliss, general manager for operational resilience, cross-industry division, told APRA-regulated entities that it was a “material security control weakness” if firms failed to comply.

“Multifactor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.”

 

Read more about:

AUTHOR

Recommended for you

sub-bgsidebar subscription

Never miss the latest news and developments in wealth management industry

MARKET INSIGHTS

Completely agree Peter. The definition of 'significant change is circumstances relevant to the scope of the advice' is s...

4 weeks ago

This verdict highlights something deeply wrong and rotten at the heart of the FSCP. We are witnessing a heavy-handed, op...

1 month ago

Interesting. Would be good to know the details of the StrategyOne deal....

1 month 1 week ago

Insignia Financial has confirmed it is considering a preliminary non-binding proposal received from a US private equity giant to acquire the firm. ...

1 week 5 days ago

Six of the seven listed financial advice licensees have reported positive share price growth in 2024, with AMP and Insignia successfully reversing earlier losses. ...

1 week 1 day ago

Specialist wealth platform provider Mason Stevens has become the latest target of an acquisition as it enters a binding agreement with a leading Sydney-based private equi...

1 week ago