In June 2025, APRA issued a clear warning to the superannuation industry: too many funds are falling short of their obligations under CPS 234. In a strongly worded letter, the regulator cited weak implementation of identity and access controls, a lack of multi-factor authentication for critical systems, and inadequate oversight of third-party providers. In APRA’s view, these aren’t isolated oversights, they’re systemic failings that demand urgent attention.
CPS 234 exists to ensure financial institutions have the information security capability to withstand cyber threats and protect sensitive data. It’s not just a technical checklist, it’s a mandate that cuts across your people, policies, systems and service providers.
This matters not only because it exposes funds to regulatory penalties and increased scrutiny, but because it risks member data, undermines trust, and erodes long-term confidence in the sector.
APRA has given regulated superannuation entities until 31 August 2025 to demonstrate compliance - a hard deadline that shifts CPS 234 from advisory to action.
In this blog, we unpack what CPS 234 demands, where super funds are falling short, and how you can course-correct quickly using the right technology, supported by actionable strategy. Whether you’re a CISO, CRO or risk leader, now is the time to assess, adapt and act.
Understanding CPS 234 and what APRA’s really concerned about
CPS 234 is APRA’s mandatory standard for information security. Introduced to address the rising frequency and severity of cyber threats, it requires that all APRA-regulated entities, including superannuation funds, maintain security capabilities that are proportionate to the risks they face.
At its core, CPS 234 ensures that your security controls evolve with your environment, and that you have the visibility, accountability, and response plans in place to minimise the impact of a security incident, whether caused by system failure, human error, or a malicious actor.
But APRA’s letter makes it clear: too many super funds are failing to meet these expectations and the consequences are no longer theoretical.
What APRA called out:
- Weak multi-factor authentication (MFA) for privileged and critical accounts
- Incomplete implementation of security controls, especially in legacy systems
- Over-reliance on third-party providers without verifying that they’re compliant
These gaps increase breach risk as well as undermine trust, heighten regulatory exposure, and threaten the long-term stability of member services.
The takeaway? CPS 234 compliance isn’t a checkbox. It’s a continuous discipline and it starts with visibility and control over identity and access.
Tackling the Issue with The Missing Link and Silverfort
APRA’s CPS 234 review made one thing clear: identity and access controls are a major weak point in the superannuation industry.
In a world where attackers log in rather than break in, identity is your new perimeter, and without strong access controls, even the best policies won’t hold up. That’s why CPS 234 demands strict oversight of who can access critical systems, how that access is granted, and how it's enforced.
Silverfort addresses this gap directly by providing agentless multi-factor authentication (MFA), identity threat detection and response (ITDR), and continuous visibility across on-premises, cloud, and hybrid environments, including systems that couldn’t previously be protected.
Here’s how Silverfort maps to APRA’s CPS 234 control areas:
|
CPS 234 Requirement |
Objective of the control |
How Silverfort Can Help |
|
Information Security Capability |
Maintain robust, adaptive security controls across all environments and third parties. |
Provides unified protection for all user, privileged and service accounts with continuous monitoring across all environments. |
|
Policy Framework |
Enforce structured, documented, and consistently updated security policies. |
Applies adaptive, role- and risk-based access policies to enforce your framework in real time. |
|
Asset Identification and Classification |
Maintain a complete, classified inventory of all information assets. |
Maps and monitors service accounts to highlight system dependencies and asset sensitivity. |
|
Incident Management |
Detect and manage security breaches quickly, especially involving privileged access. |
Delivers real-time Identity Threat Detection & Response (ITDR) to flag and block suspicious access activity. |
|
Implementation of Controls
|
Apply and maintain access and security controls throughout the asset lifecycle. |
Enables critical controls like MFA for legacy systems, privileged access protection, and lateral movement prevention – thus protecting assets throughout their lifecycle. |
|
Testing Control Effectiveness |
Prove controls are working via independent, ongoing testing and reporting. |
Provides live control validation, reporting and audit logs for internal and external assessments. |
|
Internal Audit
|
Ensure audit teams can assess and assure control effectiveness. |
Supplies comprehensive access logs and reports for deep audit review and board assurance. |
|
APRA Notification |
Report material control weaknesses or incidents within regulatory timeframes. |
Offers real-time incident detection and reporting to meet APRA’s 72-hour notification requirement. |
How The Missing Link helps you implement this
Silverfort gives you the tools. We help you make them work in the real world.
At The Missing Link, we translate CPS 234 from regulatory expectation into operational certainty, bridging the gap between policy and practice with a blend of strategy, technical implementation and real-world resilience.
For every pillar of CPS 234, we bring in-depth support across people, process and technology.
People
- We deliver CPS 234-aligned advisory to Boards, CISOs and executive teams
- Run tailored incident simulations to test readiness and response
- Provide awareness training to close the human risk gap, often the weakest link in access control
Process
- Design and document risk-based access control frameworks
- Define and implement compensatory controls for systems not ready for full technical enforcement
- Build audit-ready evidence packs, policies and procedures that meet APRA’s expectations
Technology
- Deploy and configure Silverfort across your hybrid environment
- Integrate with your existing identity infrastructure and SIEM platforms
- Enable real-time monitoring and reporting to support internal audit and regulatory notification
Whether you’re just starting your compliance journey or facing a hard deadline after an APRA warning, our team is ready to help you respond with confidence and clarity.
Action, not intention, builds resilience
APRA’s message couldn’t be clearer. Having policies on paper isn’t enough. Good intentions won’t protect member data, satisfy auditors or meet regulatory deadlines. What matters is execution.
Silverfort gives you the visibility and enforcement layer across all identities, especially where traditional MFA and access controls fall short.
At The Missing Link, we ensure those controls are implemented correctly, supported by the right people, policies and governance.
Whether you need:
- A fast path to secure privileged access
- Compensatory controls for legacy systems
- A readiness assessment aligned to APRA’s expectations
- we’re ready to help.
You don’t need a dozen tools. You need a partner who knows how to make them work.
With the 31 August deadline approaching fast, now is the time to assess your CPS 234 maturity and close any remaining gaps with confidence.
Get in touch to book a CPS 234 readiness assessment or strategy workshop.
