The powerful financial regulator has warned there are key gaps in some super funds’ defences against cyberattacks, ordering funds to assess their systems for protecting members against fraudsters trying to break into their accounts.

Super giants AustralianSuper, Australian Retirement Trust, HostPlus, Rest, Insignia and Cbus were targeted earlier this year in co-ordinated cyberattacks, which put the security practices of super funds under the microscope.

Ten AustralianSuper members had money stolen in the attacks, with a combined $750,000 transferred out of their accounts, which has since been reimbursed. Members of some other funds had their details fraudulently accessed.

The enormous amount of money held in super has long been an attractive target for fraudsters, and on Tuesday, the Australian Prudential Regulation Authority (APRA) wrote to the chairs of super funds, warning that current controls were not always up to scratch.

As a result, each APRA-regulated super fund must conduct a self-assessment of its information-security controls, in particular how the funds authenticate logins.

APRA said that at a minimum, funds should use “multi-factor authentication” – a security measure requiring two proofs of identity to grant access, such as an SMS code as well as a password – for high-risk activities such as changing a member’s details or making a withdrawal.

If funds’ controls were inadequate, they must tell APRA and assess if they have breached prudential standards. APRA could seek fines against funds through the courts in the case of major breaches.

The attacks on the super funds, which occurred in March, used a practice known as “credential stuffing”, where hackers used stolen user names and passwords to try to break into accounts.

APRA’s deputy chair Margaret Cole said the attacks had reinforced the regulator’s concerns about weaknesses in funds’ information-security controls, as she reminded funds they have a “non-negotiable” obligation to keep members’ money and data safe.

“Recent credential stuffing attacks have reinforced APRA’s concerns about persistent weaknesses in RSE [registrable superannuation entity] licensees’ information-security controls, particularly those related to authentication,” Cole said.

“Although APRA has consistently emphasised the importance of robust cybersecurity, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect.”

The Association of Superannuation Funds of Australia said APRA’s expectations were fair and reasonable, and the industry body had started work on establishing sector-wide minimum fraud controls.

AustralianSuper said the fund had multi-factor authentication on its app and web portal, and there were also back-end systems that provided further protection. Security upgrades continued to be rolled out, it said.

Rest said multi-factor authentication was used for a number of processes including member access logins and registering for the app, and it also monitored for fraud in other ways.

Cbus said multi-factor authentication was already in place for key changes on members’ accounts, including to change password or contact details, and to request payments or withdrawals. The fund said in April that it detected a spike in login attempts, but it found no evidence of funds being stolen or of attackers accessing members’ personal information or accounts.

Australian Retirement Trust said the fund had introduced multi-factor authentication last year and it would continue to work closely with regulators to support members, including looking at helping members who had not opted into multi-factor authentication.

Insignia said it had multi-factor authentication in place for Expand, the platform that was targeted in this year’s cyberattack, for key activities such as registration, withdrawals and bank account changes.

Hostplus also already has multi-factor authentication in place.

The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.