Regulator slaps NGS Super with licence conditions after cyber breach

APRA NGS Super imposition cyber breach

Prudential regulator APRA has imposed additional licence conditions on industry super fund NGS Super (NGS) after “significant deficiencies” were identified in NGS’ cyber controls.

Under APRA orders, NGS will be required to engage an independent third party to:

  • assure NGS’ remediation activities and address the recommendations contained in the internal audit and tripartite review reports; and
  • conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.

The imposition of the additional licence conditions comes after the super fund revealed it had suffered a major cyber breach in March this year, with the regulator stating that the incident “involved a significant amount of data being lost and NGS’ systems being compromised for a period”.

NGS declared that it had detected and shut down the incident on the same day, March 17; however, it appears the organisation was not able to do so before the attacker exfiltrated data.

At the time, NGS insisted that the attacker had stolen only “limited data” from its systems.

The stolen data was stored on “internal drives”, according to NGS, which for certain members included “primary identifiers”.

The super fund said it could not publicly disclose the exact number of customers nor the details of the types of information impacted.

In an update issued in early July, NGS said it had conducted a “comprehensive forensic investigation”, stating it was “confident that we know what the source of the attack was and we have taken all necessary steps to restore and update the security of our systems”.

NGS said the incident did not impact member super savings or the fund’s assets, which remain secured on “a separate platform”.

APRA acts

APRA said its most recent enforcement action against NGS was based on an internal audit report, prepared in August 2022, as well as an independent CPS 234 Information Security tripartite review undertaken at APRA’s request and delivered in April 2023 – a one-off audit imposed by APRA and involving the regulator, the regulated entity (NGS Super), and an independent auditor.

The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security, which prescribes a number of principles APRA expects regulated entities to follow and implement to maintain the safety and security of data.

On completion of the operational effectiveness review, NGS is required to provide APRA with an attestation from the NGS chair that the remediation actions are complete and effective, and that the entity is compliant with CPS 234.

“We have reviewed our processes and acted to further strengthen the protection of our members’ data. We’ve already implemented enhanced cyber controls across the fund, and we’ll continue to do so to maximise the protection of data,” NGS wrote in its latest update on the matter.

In response to the additional licence conditions, NGS acknowledged APRA’s “integral” role in “ensuring all super funds are doing everything possible to benefit and protect members”.

“We understand and respect this and are working with APRA to meet the fund’s requirements.”

NGS Super, which provides specialised superannuation for the education and community sectors, counts 114,000 members, with $14 billion in assets under management.

The additional licence conditions will be in effect from 11 December 2023.