CPS 234 compliance countdown: what RSE licensees must do before 31 August

The Australian Prudential Regulation Authority (APRA) has reinforced its expectations for Registrable Superannuation Entity (RSE) licensees to urgently uplift their cyber resilience in line with their critical role in safeguarding member funds and data. This follows recent cyber incidents and growing concerns over authentication vulnerabilities across the superannuation sector.

Under Prudential Standard CPS 234 Information Security (CPS 234), APRA requires RSE licensees to ensure their information security controls are proportionate to the vulnerabilities, sensitivity, criticality and threat landscape of their information assets. The requirement has recently been reinforced by APRA during its 11 August 2025 Superannuation Industry Roundtable, where it reiterated its expectations regarding authentication controls. Specifically, APRA emphasised the need for entities to immediately uplift security measures upon identifying weakness and continually assess whether current capabilities are sufficient by testing preparedness and responses.

Meeting the requirements of CPS 234 is not simply a matter of technical compliance. The standard calls for a coordinated organisational response, where policy, process, and technology are aligned to address information security risks in a manner proportionate to the threat landscape. For superannuation funds, this means that compliance is best achieved when all relevant functions – governance, risk, compliance, legal, and technology – work together to interpret regulatory expectations and translate them into effective, practical controls.

We have previously provided commentary on the cyber considerations that superannuation boards should prioritise in light of recent industry-wide breaches, highlighting the importance of proactive governance, mitigate systemic vulnerabilities and member-centric responses to threats. Importantly, APRA expects entities to complete the following actions no later than 31 August 2025 to ensure compliance with CPS 234.

Key actions required from RSE licensees

APRA expects all RSE licensees to:

1. Conduct a comprehensive self-assessment of current information security controls, with particular focus on authentication mechanisms. This includes evaluating whether multi-factor authentication (MFA) or equivalent controls are in place for high risk member activities (e.g. withdrawals, benefit payment requests, investment switches) along with administrative and privileged system access.

2. Report deficiencies in authentication controls where MFA or equivalent controls have not been implemented or are deficient, licensees must either submit a material control weakness notification to APRA or provide a detailed rationale explaining why the issue is not material. Where a material weakness is identified and notified to APRA, a breach assessment must be conducted to determine if a formal breach notification under CPS 234 is required.

3. Nominate the Accountable Person(s) under the Financial Accountability Regime (FAR) responsible for CPS 234 compliance, including a breakdown of their specific responsibilities.

CPS 234 places particular emphasis on the need for timely identification and remediation of control weaknesses, especially in relation to authentication mechanisms for high-risk activities. This requires organisations to have clear internal processes for assessing current controls, escalating issues, and ensuring that any deficiencies are addressed promptly. Effective coordination between those responsible for policy, oversight, and technical implementation is essential to ensure that responses are both robust and defensible.

It is important to note that material information security incidents and material information security control weaknesses are reportable to APRA within timeframes prescribed in CPS 234. In Prudential Guide CPG 234 Information Security (CPG 234), APRA further states that it expects RSE licensees to notify it of any information security incidents or information security control weaknesses as soon as possible, even in the absence of complete information as to the incident and the intended response.

Alignment with FSC Standard No.29

In parallel, the Financial Services Council (FSC) has finalised its updates to Standard 29: Scam and Fraud Mitigation Measures for Superannuation Funds. This now mandates the use of MFAs for digital web and app-based high risk transactions by 31 August 2025 (in line with APRA's compliance date), brought forward from the original compliance date of 1 July 2026.

The alignment of APRA’s CPS 234 requirements with the FSC’s updated Standard No. 29 further underscores the need for a unified approach. Implementing new scam and fraud mitigation measures—such as multi-factor authentication for high-risk transactions—often involves changes to systems, processes, and member communications. Success depends on careful planning, clear roles and responsibilities, and ongoing dialogue between those managing compliance obligations and those responsible for operational delivery.

What RSE licensee Boards should do now

With the 31 August 2025 deadline fast approaching, RSE licensees should act decisively to:

• Review and strengthen authentication controls, ensuring MFA is in place for high-risk transactions and privileged access.

• Conduct a self-assessment of current information security controls and address any identified weaknesses.

• Submit required notifications to APRA, including material control weaknesses and breach assessments where applicable.

• Nominate Accountable Person(s) under FAR responsible for CPS 234 compliance and advise APRA accordingly.

• Align internal policies with FSC Standard No. 29, particularly concerning scam and fraud mitigation measures.

Boards should treat this with urgency noting the criticality and sensitivity of member assets and data and the increasing sophistication of cyber threats. Boards and management are expected to demonstrate a clear understanding of their organisation’s information security posture and regulatory obligations. This expectation extends beyond compliance checklists, requiring regular review of governance structures, risk assessments, and incident response capabilities. In practice, this means ensuring that information flows effectively between those monitoring the external regulatory environment and those responsible for day-to-day operations, so that emerging threats and compliance gaps can be addressed proactively.

Integrating CPS 234 compliance with RSE risk frameworks

While the immediate focus is on meeting the 31 August 2025 APRA deadline, RSEs should view this review not as a one-off compliance hurdle, but as a valuable opportunity to strengthen the fund's overall risk management framework. The review process should be approached as an integral part of ongoing risk governance, helping Boards and management to uplift identification, assessment, and mitigation of information security risks in a way that is consistent with how other material risks are managed across the business. By embedding the findings and actions from the CPS 234 review into the broader risk management strategy, RSE licensees can drive continuous improvement, enhance resilience, and better protect member interests in an evolving threat landscape.

CPS 234 sets a high bar for information security in the superannuation sector, requiring organisations to coordinate effectively across multiple functions to achieve and maintain compliance. By fostering strong internal collaboration and embedding information security into broader governance and risk management processes, superannuation funds will be better positioned to protect member interests and respond to the increasing sophistication of cyber threats.