The Australian Prudential Regulation Authority this week blasted the scandal-plagued sector for “persistent weaknesses” in security controls and ordered all funds to put in place measures to better protect members’ retirement savings.

At a minimum, the regulator expects entities to require multi-factor authentication (MFA) or equivalent controls for all high-risk activities such as changing member details, withdrawals, benefit payments, transfers, rollover requests and investment switching.

MFA is a security measure that requires users to provide two or more forms of verification, such as a code sent to a phone or a fingerprint scan, making it harder for scammers to access account information.

APRA also said it expects funds to have MFA in place for all administrative or privileged access.

A number of the sector’s megafunds fall short of APRA’s standards, with some seemingly caught off guard by the prescriptive nature of the rules weeks after the industry was targeted by a co-ordinated cyber attack.

The $300bn Australian Retirement Trust and Cbus require MFA for some but not all of the high-risk activities listed by the regulator, while HESTA, the $93bn industry fund for healthcare workers, requires MFA for member logins but nothing else.

“Australian Retirement Trust takes the security of member accounts seriously and uses a variety of security controls, such as one-time pins, for a range of transactions,” an ART spokesman told The Australian.

“We will continue to work closely with regulators and are focused on supporting members and prioritising their needs, including how best to help those who have not already opted in to MFA to enrol by default over the coming months,” he said.

Two weeks ago, ART said it was focused on “meeting members where they are” in terms of security measures, as it declined to say if it would work towards requiring MFA at login rather than retaining it as an opt-in measure.

Cbus said it was working on a program of enhanced security measures, including MFA at log-in: “We’re looking at how we can accelerate these in the coming months,” a spokesman said.

HESTA said its move to require MFA at the login stage was above the minimum standard outlined by APRA this week.

“It means that for the activities APRA has identified as high-risk, members will need to have first completed MFA. For administrative and privileged access, HESTA has equivalent protections to MFA.”

But security expert and Okta Threat Intelligence vice-president Brett Winterford warned having MFA only at login could put member savings at risk.

“It’s great to require MFA at login, but as a super member, I would still expect to have to verify my identity before a major transaction. With login MFA, you’ve dramatically narrowed the window for the attack, but you haven’t eliminated it,” Mr Winterford warned.

The risk with MFA in place just for logins is that hackers can still hijack a user’s session and gain unauthorised access to accounts, he said.

AustralianSuper, the nation’s largest super fund with $360bn in assets and the only fund to lose member money in the March and April cyber attack, declined to confirm which activities it requires MFA for or if it currently requires MFA for any of the high-risk activities listed by APRA.

“AustralianSuper has strong security controls on the systems members use – including multi-factor authentication on the app and web portal – and also on the back end systems that provide further protection,” a spokesman said.

“We accelerated the implementation of MFA changes last month, and security upgrades continue to be rolled out. The fund engages regularly with APRA to keep regulators up to date about continuing improvements we make to safeguard Australians’ retirement savings.”

Hackers stole $750,000 from 10 AustralianSuper member accounts in March and April, including $406,000 from a single account over a number of days.

Rest Super has accelerated its security changes in the wake of the recent attack and this month rolled out MFA across member logins. A spokesman said MFA was also used for high-risk transactions but did not disclose which ones.

Aware Super and UniSuper are the only funds to already require MFA for all of the high-risk activities outlined by APRA. Both also require MFA at login.

Hostplus did not respond to inquiries from The Australian but has previously confirmed it requires members to use MFA at the login stage.

Along with industry funds AustralianSuper, ART, Hostplus, Rest and Cbus, the Insignia-owned Expand platform was also targeted by criminals in the March and April attacks.

An Insignia spokeswoman said the wealth manager had introduced adaptive MFA on logins since the attack. This means the level of authentication required for logins adjusts based on factors such as using a new device or logging in from a new location.

Originally published as Super funds scramble to plug cyber security holes as APRA deadline looms