How we’re protecting our members
08 Dec 2023 4 min readNGS has been asked by the Australian Prudential Regulation Authority (APRA) to undertake some additional actions in relation to our compliance with CPS 234. CPS 234 refers to APRA’s cybersecurity standards.
Ensuring all super funds are doing everything possible to benefit and protect members is an integral part of APRA’s role. We understand and respect this and are working with APRA to meet the fund's requirements.
We have reviewed our processes and acted to further strengthen the protection of our members’ data. We’ve already implemented enhanced cyber controls across the fund, and we’ll continue to do so to maximize the protection of data.
We remain confident of the actions we’ve taken and continue to take, following a thorough review of our cyber security. We’re also committed to working with APRA and an independent party to provide assurance that the actions we’ve taken address the requirements of CPS 234.
If you have any questions, please call our Helpline on 1300 133 177. The Helpline is available Monday to Friday, 8am-8pm (AEST/AEDT).
What licence conditions has APRA imposed on NGS?
While NGS is well advanced with regard to addressing the recommendations provided in internal audit and tripartite reviews particularly following the cyber incident earlier this year, APRA has imposed additional licence conditions that will require NGS to engage an independent third party to:
- Provide assurance about the remediation activities we have put in place to date.
- Conduct an operational effectiveness review of the CPS 234 controls and frameworks. CPS 234 is the prudential standard that details the information security measures we should have in place.
- The chair to provide an attestation that we have implemented all recommendations and are complying with our requirements under prudential standard CPS 234
Does this mean NGS was non-compliant with CPS 234?
CPS 234 prescribes several principles our regulator expects us to follow and implement to ensure information is safe and secure.
While NGS has always placed members at the centre of what we do, we recogonise that some of our historical practices and governance structures around information security were not as rigorous as they should have been.
Since the deficiencies were identified, substantial resourcing and technical capability has been put into remediation efforts and we’ve been working collaboratively with APRA to address their concerns.
Why does APRA have to impose these conditions? Was NGS not supplying the right information?
APRA is responsible for the prudential regulation of financial institutions and will provide guidance to funds where necessary.
NGS has been working closely with APRA to provide them with all the required information as well as complying with all conditions.
Is this proof that your cyber breach was because the fund didn’t have the right protection in place to begin with?
NGS is committed to protecting our members' personal information, and we take all reasonable steps to ensure it is secure.
We use administrative, physical and technical safeguards to protect the confidentiality and integrity of personal information and data.
Threat actors are becoming and more sophisticated. As we’ve seen recently no organization is immune. We acknowledge that there are areas we can be better at, and our remediation program is addressing this.
What is the cost of having to engage more third-parties to protect? Will this impact members’ fees?
We cannot disclose the details of commercial arrangements relating to the engagement of a third party.
We can confirm that costs will not impact member fees.
What is a tripartite review?
A Tripartite Review is a one-off audit requirement from APRA. It involves APRA, the regulated entity (NGS Super Pty Limited in this is instance), and an independent auditor. The Tripartite Review assesses a regulated entity’s compliance against APRA’s CPS 234 Information Security standard.
It is also sometimes referred to as a CPS 234 Information Security Tripartite Review or Audit.
You have said that you refocused your fund strategy in 2022 to elevate attention on operational excellence – Do these imposed conditions undermine this strategy or your ability to implement?
No, these conditions support our focus and the work we’re undertaking to improve operational excellence.
We don’t foresee any impact on our ability to implement our strategy.
Our strategy will always consider and reflect future changes in regulation, markets and technologies.
Are members' funds still safe?
Yes, these conditions do not affect your funds in any way. Members’ super savings and the Fund’s assets have been secure at all times.
Is member data now safe?
As part of our remediation activities, enhanced cyber controls have been implemented across the Fund, including with partnering with leading security providers in the Australian market to implement multilayers in our cyber controls.
This incident has not impacted member super savings or the funds’ assets. They have always been secure on a separate platform.
Throughout remediation activities, we’ve worked closely with APRA to ensure we continue to meet their expectations.
Is the fund still able to operate?
Yes, our day-to-day operations will not be impacted, and member super savings and the fund’s assets will not be impacted.
Following the cyber incident early this year, the fund has come under scrutiny from APRA, as it should.
We have been working with the regulator and independent third parties to undertake specified assurance activities to ensure we have the highest standards in place to protect our members.
How long will these conditions be in place?
NGS will work with the independent third party to undertake the required activities over the coming months to resolve APRA’s concerns.
