APRA imposes additional licence conditions on NGS Super

The Australian Prudential Regulation Authority (APRA) has imposed additional licence conditions on NGS Super Pty Limited (NGS), effective 11 December 2023, after significant deficiencies were identified in NGS’ cyber controls. NGS is the trustee of NGS Super, which has 114,000 members and $14 billion in assets under management.

The additional licence conditions follow an internal report prepared by NGS’ internal auditor in August 2022, an independent tripartite review undertaken at APRA’s request and delivered in April 2023, and a cyber incident in March 2023. The reviews identified deficiencies in NGS’ compliance with Prudential Standard CPS 234 – Information Security (CPS 234), while the cyber incident involved a significant amount of data being lost and NGS’ systems being compromised for a period.

While NGS has taken steps to address the recommendations in the internal audit and tripartite review reports, APRA has put in place additional licence conditions that require NGS to engage an independent third party to:

  • provide assurance regarding NGS’ remediation activities and to address the recommendations contained in the internal audit and tripartite review reports; and
  • conduct an operational effectiveness review of the CPS 234 controls and frameworks in place for NGS.

On completion of the operational effectiveness review, NGS is required to provide APRA with an attestation from the NGS Chair that the remediation actions are complete and effective, and that the entity is compliant with CPS 234.

/Public Release. View in full here.