The financial regulator has stepped up its scrutiny of the $4.2 trillion superannuation industry after a co-ordinated attack on some of the country’s largest funds exposed serious cybersecurity weaknesses.

Australian Retirement Trust, AustralianSuper, HostPlus, Rest, Insignia Financial and Cbus, which have a combined 12.6 million members and manage more than $1 trillion worth of assets, fell victim to last month’s attack, in which hackers exploited the common practice of people reusing their email addresses and passwords, known as “credential stuffing”.

The Australian Prudential Regulation Authority has been warning the industry since 2023 to bolster its cybersecurity protections. It wrote to all regulated entities, including banks and super funds, in May 2023 about multifactor authentication (MFA) as being one of the “most effective controls an organisation can implement”.

MFA is a security measure that requires users to provide two or more proofs of identity to be granted access, such as a verification code sent to your phone after entering your password.

APRA’s general manager of operational resilience, Alison Bliss, said two years ago that while MFA was widely used, there were gaps in its implementation.

“APRA has noted examples where MFA for customers has been deployed on an opt-in basis, or where exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception. Other examples include remote access being provided for third-party staff without associated MFA,” Bliss wrote.

“APRA expects APRA-regulated entities to review the coverage of MFA in their operating and technology environments. Where gaps in the coverage of MFA have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers, APRA would consider this to be a material security control weakness, and … require an entity to notify APRA.”

HostPlus said its security safeguards included Web Application Firewall and MFA to access its member online portal and the HostPlus app. Rest said MFA is used when members register for the app and its member access portal, but it was working to expand it to all logins.

Australian Retirement Trust said members can opt in to use MFA, and it had additional security requirements for some transactions. Insignia Financial said it uses MFA for “key activities” such as registration, withdrawals and changing bank account details. Cbus said it also used MFA for key activities.

AustralianSuper, which was the only fund to reveal four of its members lost a combined $500,000 during the cyberattack, has MFA in place for members requesting via the website or app to withdraw funds. A spokesman said it would roll out MFA controls more widely by next month.

On Tuesday, the regulator said it had been working with the Australian Securities and Investments Commission and the National Office of Cyber Security over the attack.

“In accordance with APRA’s protocols for responding to events of this type, supervision has been heightened across the industry with a focus of information sharing, and the monitoring and containment of issues – with the objective of protecting Australians,” an APRA spokeswoman said.

While APRA does not mandate the entities it regulates to use MFA, boards are ultimately responsible for the information security of their organisations. The Financial Services Council, which represents retail funds, requires its members to use MFA from July 2026.

Arctic Wolf director of security services Mark Thomas said APRA should mandate all financial services organisations, including super funds, to roll out MFA.

“Purely in credential stuffing, having MFA would help limit hackers’ ability to compromise the users’ credentials,” Thomas said.

“Ultimately, we need to have MFA enforced for everyone whenever someone accesses those portals, such as to update details, update to transferring of funds outside the organisation. But [it’s also important] to have a more holistic identity and access management that looks at time of day, behaviour of user, where they’re logging in from – that will all help limit the risk.”

A Department of Home Affairs spokeswoman said that “the National Office of Cyber Security continues to co-ordinate engagement across the Australian government and with industry stakeholders regarding the issues impacting the superannuation sector”.

The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.