TL;DR

  • APRA-regulated entities face mandatory cybersecurity standards — APRA's CPS 234 (Information Security) establishes legally binding information security requirements for all APRA-regulated institutions, including insurers and superannuation funds.
  • Non-compliance can trigger licence cancellation — APRA has enforcement powers including licence variation or cancellation for serious or repeated CPS 234 breaches. The prudential regulator takes cybersecurity failures seriously.
  • The average data breach costs AUD $4.26 million — IBM Cost of a Data Breach Report 2024, but financial services breaches cost significantly more due to regulatory penalties, customer compensation, and loss of trust.
  • Insurance is a top target for cybercriminals — The financial services sector consistently ranks among the most targeted industries globally due to the high value of financial and personal data held.

Why Insurance & Superannuation Businesses Are Cybersecurity Targets

Australia's financial services sector — including general insurance, life insurance, reinsurance, and superannuation — manages over AUD $3.5 trillion in assets on behalf of millions of Australians. Insurance companies and super funds hold exceptionally sensitive data: personal and financial information, health records (for life and income protection insurance), investment details, beneficiary information, and identity documents. This data is valuable to cybercriminals for identity theft, fraud, and extortion. The Australian Prudential Regulation Authority (APRA) identifies cybersecurity as one of the top prudential risks facing the financial sector.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌

‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

The Medibank Private breach of 2022 starkly illustrated the stakes: 9.7 million customer records were exfiltrated and published on the dark web after the insurer refused to pay a ransom. Total costs exceeded AUD $125 million by 2024 and continue to rise, with civil penalty proceedings ongoing. While Medibank is a large insurer, the same attack vectors — phishing, credential theft, vulnerable software, social engineering — are used against smaller insurers and super funds. A breach at a smaller fund may not make national headlines, but it can be equally devastating for affected members and the institution's viability.

Superannuation funds face particular exposure due to the life-changing nature of retirement savings. A compromised superannuation account can result in theft of a member's entire life savings, and the reputational damage can trigger mass member exits. Insurance companies face similar risks from ransomware attacks that threaten to publish sensitive health and claims data. Both sectors face stringent regulatory expectations: APRA's CPS 234 (Information Security) mandates that all APRA-regulated entities maintain information security capability that is commensurate with the size and extent of the risks they face.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​

The Top 3 Cybersecurity Threats for Insurance & Superannuation

1. Ransomware and Data Extortion

Ransomware is the single greatest cyber threat to Australian insurers and superannuation funds. Attackers understand that financial services institutions have low tolerance for downtime and high sensitivity to data publication. The ASD's 2024–2025 Annual Cyber Threat Report identifies financial services as a top target for ransomware actors. When Medibank Private was attacked in 2022, the attackers exfiltrated 9.7 million records before deploying ransomware, then demanded both a decryption payment and a separate extortion payment to not publish the data. When Medibank refused, the data was published on the dark web in tranches.

For insurers, the extortion threat is particularly acute. Health claims data, mental health records, and income protection documentation contain highly sensitive personal health information. Publication of this data would breach APP 11 under the Privacy Act, trigger breach notification obligations, and cause severe reputational harm. For super funds, the threat is theft of member balances and publication of member financial details. The Cyber Security Act 2024 introduces mandatory ransomware payment reporting from 30 May 2025 for entities with turnover above AUD $3 million — meaning that an insurer or super fund's decision to pay or not pay ransom must be reported to the ASD within 72 hours.

2. Business Email Compromise (BEC) and Payment Fraud

BEC is a critical-priority threat for insurance and superannuation, particularly for claims processing and outbound payments. Attackers compromise email accounts through phishing or credential theft, then monitor communications to understand payment processes. For insurers, this might involve impersonating a supplier or vendor to redirect claim payments; for super funds, attackers might impersonate members to initiate fraudulent withdrawals or redirect benefit payments. IBM's 2024 Cost of a Data Breach Report identified BEC and phishing as the top two attack vectors in Australia.

Superannuation funds face additional exposure from member account takeover. Attackers who compromise member credentials through phishing or credential stuffing can initiate fraudulent withdrawals, change bank account details, or in some cases access investment menus to manipulate portfolio allocations. The widespread use of self-managed super fund (SMSF) administration platforms and member portals expands the attack surface. Funds must balance security with member experience — excessive friction can drive member complaints, but insufficient controls enable fraud.

3. Supply Chain and Third-Party Vulnerabilities

Insurance companies and super funds rely heavily on third parties: claims administration platforms, policy administration systems, investment management platforms, actuarial software, cloud hosting providers, and managed service providers. Each vendor represents a potential supply chain attack vector. The 2023 MoveIT transfer vulnerability demonstrated how a single compromised file transfer software vendor could cascade across thousands of organisations, including Australian financial institutions through their IT providers or software supply chains.

APRA's CPS 234 explicitly requires regulated entities to manage material risks arising from third-party service providers. This requirement is not optional — APRA has issued enforcement actions against institutions with weak vendor management practices. For insurers and super funds, vendor security must be assessed before engagement, monitored during the relationship, and tested regularly. Material third-party arrangements — those that could impact the regulated entity's risk profile if they failed — must be identified, reported to APRA, and subject to enhanced oversight.

Compliance Requirements for Insurance & Superannuation

Australian insurers and superannuation funds face a stringent regulatory regime with clear cybersecurity obligations:

APRA CPS 234 (Information Security) CPS 234 is APRA's prudential standard on information security, effective from 1 July 2019. It applies to all APRA-regulated entities, including insurers, superannuation funds, and accountable superannuation trustees (ASTs). CPS 234 establishes legally binding requirements across six areas: Governance, Information Security Capability, Implementation, Testing, Reporting to APRA, and Third-party Oversight. Key requirements include: maintaining an information security policy commensurate with risks; implementing controls across the five information security domains (governance, identification, protection, detection, response); annual testing of cyber resilience; and management of material third-party risks. APRA has taken enforcement action against institutions with weak CPS 234 compliance, and the standard is rigorously audited during prudential supervision.

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Insurers and super funds are bound by the Privacy Act and APPs as both APP entities and due to the small business exemption not applying to financial services. APP 11 requires reasonable steps to protect personal information. The Notifiable Data Breach (NDB) scheme requires notification to the OAIC and affected individuals of eligible data breaches. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) strengthened enforcement: civil penalties can now reach AUD $50 million for serious or repeated breaches. For insurers handling health information, additional obligations under the Privacy Act apply to health data.

Cyber Security Act 2024 (Cth) Enacted in November 2024, the Cyber Security Act introduces mandatory ransomware payment reporting (effective 30 May 2025) for entities with annual turnover above AUD $3 million. Most insurers and super funds fall well above this threshold. Ransom payments must be reported to the ASD within 72 hours. The Act also enables the National Cyber Security Coordinator to request information and issue directions following significant cyber incidents. For APRA-regulated entities, ransomware incidents would typically trigger both CPS 234 notification to APRA and Cyber Security Act reporting to the ASD.

Corporations Act 2001 (Cth) and ASIC Regulatory Guide 255 For listed insurers and superannuation entities, continuous disclosure obligations under the Corporations Act may require disclosure of material cybersecurity incidents. ASIC Regulatory Guide 255 provides guidance on cybersecurity disclosure for listed entities. Unlisted entities may have equivalent disclosure obligations under their governing documents or trust deeds.

Superannuation Industry (Supervision) Act 1993 (SIS Act) For superannuation funds and trustees, the SIS Act imposes fiduciary duties to act in the best financial interests of members. A cybersecurity breach that results in member financial loss or data compromise can constitute a breach of these fiduciary duties. APRA's Superannuation Prudential Standard (SPS) 510 on Governance intersects with CPS 234 in setting expectations for board and committee oversight of cybersecurity risk.

ASD Essential Eight While not legally mandated by APRA, the Essential Eight mitigation strategies are strongly endorsed by APRA as a baseline for information security controls. Many APRA-regulated entities implement the Essential Eight as the foundation for their CPS 234 compliance framework.

The lilMONSTER Security Checklist for Insurance & Superannuation

These controls provide a foundation for CPS 234 compliance and address the highest-risk threat vectors:

  1. MFA on all systems — members, staff, and third parties — Require multi-factor authentication on all member portals, staff email and productivity platforms, administrative interfaces, and third-party access points. Use phishing-resistant MFA (hardware keys, authenticator apps) rather than SMS where possible. For super funds, consider adaptive MFA that triggers additional authentication for high-risk transactions (benefit withdrawals, bank account changes). Document your MFA implementation for CPS 234 attestation.

  2. Annual testing of cyber resilience (CPS 234 requirement) — CPS 234 requires annual testing of information security controls, including vulnerability assessments, penetration testing, or red team exercises. Testing must be conducted by independent parties (either internally independent teams or external providers). Test results must be reported to the board and to APRA as part of the CPS 234 annual attestation. Testing should be scoped to cover both internal systems and material third-party arrangements.

  3. Material third-party risk identification and oversight — Identify all third-party service providers and classify them by materiality (could their failure impact your risk profile?). For material providers, conduct due diligence before engagement, include security clauses in contracts, and regularly review their security posture. Report material third-party arrangements to APRA as required by CPS 234. Maintain an up-to-date register of all third parties and their materiality classification.

  4. Patch within 48 hours — critical patches within 24 hours — Unpatched software is the most common initial access vector. Prioritise internet-facing systems, member-facing applications, and administrative platforms. Maintain an asset register and patch management system with documented procedures. CPS 234 requires that information security capability be "maintained effectively" — unpatched systems are evidence of ineffective maintenance.

  5. Encryption of data at rest and in transit — Encrypt all sensitive member and policyholder data, both in storage (databases, backups, file storage) and in transit (API calls, web traffic, data transfers). Use strong encryption standards (AES-256 for data at rest, TLS 1.3 for data in transit). Maintain an inventory of encrypted assets and encryption key management procedures. CPS 234's "protection" domain explicitly includes encryption as a control.

  6. Security monitoring and incident detection — Implement centralized logging and monitoring of security-relevant events across all systems, including third-party platforms. Establish a Security Operations Centre (SOC) function — either in-house or outsourced — with 24/7 coverage or at least 24-hour response capability. Define incident severity classification and escalation procedures aligned to CPS 234 reporting obligations (report material incidents to APRA within 72 hours).

  7. Board-level oversight and governance — CPS 234 requires the board to approve the information security policy, to be informed of material security incidents, and to review the effectiveness of controls at least annually. Ensure cybersecurity is a standing agenda item at board meetings, with regular reporting on control testing, incident metrics, and remediation activities. Board minutes should reflect cyber risk discussions.

  8. Member and customer phishing resistance — Implement controls to reduce the effectiveness of phishing against your customers: DMARC, SPF, and DKIM for email domain authentication; educational content on member portals; warning banners for suspicious emails; and consideration of passwordless authentication options. Many cyber incidents originate from compromised member or customer credentials.

How Much Does Cybersecurity Cost for Insurance & Superannuation?

For APRA-regulated entities, cybersecurity is a regulated cost of doing business.

Spend What it covers
AUD $50,000–200,000/year SME essentials: CPS 234 compliance programme, MFA, endpoint protection, SIEM basics, annual pen test, staff training
AUD $200,000–1,000,000/year Mid-tier: 24/7 SOC monitoring, managed detection and response (MDR), vulnerability management, third-party risk management platform
AUD $1,000,000–5,000,000/year Enterprise: dedicated CISO, in-house SOC team, advanced threat protection, red team exercises, CPS 234 audit preparation

Cost of a breach for an insurer or super fund:

  • Average financial services breach: higher than the AUD $4.26 million cross-industry average (IBM, 2024)
  • Medibank breach (for scale): AUD $125 million+ in direct costs, excluding ongoing civil penalties
  • APRA enforcement action: can include licence variation or cancellation, capital additions, and mandatory remediation programmes
  • OAIC civil penalty exposure: up to AUD $50 million for serious or repeated Privacy Act breaches
  • Member/customer compensation: potentially millions depending on the nature of losses
  • Class action exposure: increasingly common following major breaches

Cyber liability insurance for financial services typically costs AUD $20,000–200,000/year depending on revenue, customer base, and security posture. However, insurers are increasingly reluctant to provide coverage to institutions with weak CPS 234 compliance, and policy exclusions for known vulnerabilities or unpatched systems are common.

FAQ

A foundational cybersecurity programme for a small Australian insurer typically starts at AUD $100,000–300,000 per year, covering CPS 234 compliance support, multi-factor authentication, endpoint detection and response, SIEM deployment, managed security monitoring, and annual penetration testing. Larger insurers will spend significantly more — often millions annually — on dedicated security teams, advanced threat protection, and third-party risk management platforms. For context, the Medibank breach cost exceeded AUD $125 million in direct costs, and APRA enforcement action can result in licence cancellation or mandatory capital additions.

The greatest cybersecurity risk for Australian insurers and super funds is ransomware combined with data extortion. Attackers encrypt systems and exfiltrate sensitive data, then demand payment both for decryption and to avoid publication. Health insurers face particular exposure due to the sensitivity of health claims data. The Medibank Private breach (2022) demonstrated the catastrophic impact possible: 9.7 million records published, $125M+ in costs, and ongoing civil penalty proceedings. Business Email Compromise (BEC) targeting claims and outbound payments is the second major threat.

ISO 27001 is not legally mandated by APRA, but it provides a structured framework that maps well to CPS 234 requirements. Many APRA-regulated entities implement ISO 27001 as the foundation for their information security management system (ISMS) because it offers a certifiable, auditable standard that demonstrates mature governance. CPS 234 requires an "information security policy commensurate with risks" and "maintenance of information security capability" — ISO 27001 provides evidence of both. lilMONSTER can assess whether ISO 27001 or an alternative framework best fits your regulatory obligations and risk profile.

CPS 234 explicitly requires annual testing of information security controls, which must include testing of the effectiveness of controls in detecting and responding to cyber attacks. Most APRA-regulated entities satisfy this requirement through annual penetration testing conducted by independent parties. Testing should cover both external infrastructure (internet-facing systems) and internal systems (including administrative platforms and material third-party interfaces). Some entities conduct more frequent testing (e.g., quarterly vulnerability assessments) and deeper exercises (red teaming) periodically. Test results must be reported to the board and to APRA as part of the CPS 234 annual attestation.

If an insurer or super fund suffers a significant cyber incident, multiple simultaneous obligations are triggered: (1) Notify APRA under CPS 234 — material incidents must be reported within 72 hours. (2) Notify the OAIC under the Notifiable Data Breach scheme — highly likely given the sensitive personal information held. (3) Report ransom payments to the ASD within 72 hours (for entities with turnover >$3M, from 30 May 2025) under the Cyber Security Act 2024. (4) Notify affected members or policyholders — required under both NDB and APP 13. (5) Engage with ASIC if the incident is material to a listed entity. (6) Engage with cyber insurer immediately. (7) Prepare for APRA enforcement — APRA may conduct a prudential investigation and can impose licence conditions, capital additions, or other remediation requirements.

References

[1] Australian Prudential Regulation Authority (APRA), "Prudential Standard CPS 234 Information Security," APRA, 2019. [Online]. Available: https://www.apra.gov.au/

[2] Australian Signals Directorate (ASD), "Annual Cyber Threat Report 2024–2025," Australian Government, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[3] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, Jul. 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[4] Information Age (ACS), "Data breach to cost Medibank more than $125m," ACS, 2024. [Online]. Available: https://ia.acs.org.au/article/2024/data-breach-to-cost-medibank-more-than--125m-.html

[5] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Scheme," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/

[6] Australian Government, "Cyber Security Act 2024 (Cth)," Federal Register of Legislation, Nov. 2024. [Online]. Available: https://www.legislation.gov.au/

[7] Australian Securities and Investments Commission (ASIC), "Regulatory Guide 255 Cybersecurity," ASIC, 2024. [Online]. Available: https://www.asic.gov.au/

[8] Australian Cyber Security Centre (ACSC), "Essential Eight Mitigation Strategies," Australian Government, 2024. [Online]. Available: https://www.cyber.gov.au/publications/essential-eight-mitigation-strategies

[9] Financial Services Council (FSC), "Cybersecurity Guidelines for the Financial Services Industry," FSC, 2024. [Online]. Available: https://www.fsc.org.au/

[10] Association of Superannuation Funds of Australia (ASFA), "Cybersecurity for Superannuation Funds," ASFA, 2024. [Online]. Available: https://www.superannuation.asn.au/

Need help securing your Insurance & Superannuation business? Book a free consultation with lilMONSTER — Australia's no-BS cybersecurity team for SMBs.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation