Cyber security of Australia’s super funds under scrutiny

Australia is ranked as the world’s fifth most powerful ‘cybernation’, with a cyber security market valued at US$5.99bn in 2023 and expected to be worth US$13.95bn by 2028.

Unsurprisingly, this rapid rate of growth means that Australia also faces a high level of cyber threats, from both criminals and state-sponsored adversaries. 76,000 cyber crimes were reported in Australia over the course of the 2021-22 financial year – an average of one every seven minutes.

Cyber crime is estimated to cost Australia’s economy about AU$42bn a year, although the real figure is likely to be much higher because so many instances go unreported. No sector is immune, and each faces its own challenges.

Several alarming cyber events – most notably the devastating attacks on Optus and Medibank in late 2022 – have intensified the focus of Australia’s regulators on the cyber defence postures of their industries.

For example, in 2022 the financial advisory service RI Advice made Australian legal history when the Federal Court found it had breached its obligations under its Australian Financial Services license when it, “failed to have adequate risk management systems to manage its cyber security risks.”

Super funds and not-so-super cyber defences

APRA, the Australian Prudential Regulation Authority, released its largest-ever study on cyber resilience in financial services in July 2023. The study evaluated over 300 banks, insurers, and superannuation trustees to assess their compliance with the prudential standard on information security (CPS 234).

APRA was dismayed to find that its “security stocktake” exposed “a number of gaps” in the cyber defences of Australia’s super funds.

The stakes for these entities are high. As of the June 2023 quarter, the total value of superannuation assets in Australia was AU$3.5 trillion (the majority of which is held in defined contribution funds). This makes Australia the world’s fourth largest holder of pension fund assets.

“Out of patience”

John Lonsdale is APRA’s chair. Speaking to the FINSIA conference in early November 2023, Lonsdale was blunt about the cyber security performance of the funds APRA oversees:

“Three years ago, APRA’s information security standard CPS 234 came into force, and yet many entities are still struggling with foundational issues: ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans. With the potential for serious impact to millions of Australians, our patience has run out.”

Although superannuation funds (or ‘super funds’) are constantly evolving their security measures to align with the shifting threat landscape, APRA remains underwhelmed by their efforts.

Lonsdale described the super funds as still struggling with “foundational issues” and indicated that APRA is ready to move decisively against funds lacking in operational resilience:

“Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions.”

This is in spite of greater adoption of cyber crime countermeasures, such as

• additional security checks during transactions;
• enhanced identity management; and
• stronger safeguards for member accounts.

Any super fund wondering what falling foul of APRA’s requirements might mean need look no further than the sanctions it imposed on the insurer Medibank in the wake of its 2022 cyber breach:

• Medibank Private is now required to hold an additional US$250m in capital, to reflect weaknesses identified in Medibank’s information security environment. The capital increase will remain in place until an agreed remediation program is completed to APRA’s satisfaction.
• APRA will conduct a targeted technology review of Medibank, with a particular focus on governance and risk culture.

APRA Member Suzanne Smith commented at the time that, “This action demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk and that APRA will respond strongly to identified weaknesses in cyber security controls.”

A long-standing – and escalating – global problem

Cyber crime is, of course, not a new problem for Australia’s super funds – and nor are they alone in their vulnerability. To give just a handful of examples:

• 2016: A cyber incident at India’s largest social security organisation, the Employees’ Provident Fund Organization (EPFO), exposed the details of millions of its members.
• 2019: Pensioenfonds Detailhandel, a Dutch pension fund for the retail sector, fell victim to a ransomware attack. The fund paid a ransom to regain access to its systems.
• 2020: Sunsuper, an Australian super fund, experienced a cyber breach affecting around 130,000 members after an employee’s email account was compromised.
• March 2023: Threat actors targeted Capita, a major UK outsourcer. Capita’s systems are used to administer pensions for over four million savers on behalf of 450 organisations (e.g. Royal Mail and Axa). Information containing Capita data, including home addresses and passport images, began circulating on the dark web. As of November 2023, an investigation by The Pensions Regulator remains open.
• June 2023: The Pension Benefit Guaranty Corporation (PBGC), a US federal agency that insures private pension plans, suffered a data breach affecting 800,000 people. The breach exposed personal information, including Social Security numbers.

Protecting member data and assets

Clearly there is still much to be done, though pension funds the world over do recognise the critical importance of cyber security in safeguarding member data and assets. Although there is not a single, coordinated approach across all funds, several common principles and practices have emerged over the past few years:

Risk assessment and governance

Trustees and scheme managers are accountable for the security of scheme information and assets. They should establish and operate adequate internal controls to manage risks, including cyber risks.

Regular risk assessments will help to identify vulnerabilities and define risk management strategies.

Technical controls and incident response

There is widespread acceptance across the funds industry that investment in technical security measures, such as firewalls, encryption, and intrusion detection systems, is now essential.

Incident response plans are also crucial. Funds have to be ready to act in case of a cyber incident. Collaboration with relevant parties (in-house functions, third-party service providers, and employers) is a key part of incident preparedness.

Tailored approaches

Each fund needs to tailor its approach to its specific profile and requirements. Cybersecurity strategies need to be scaled based on the complexity of risks and the available time and resources.

Awareness and training

Trustees and staff should receive regular cyber security awareness training on an ongoing basis, with roles and responsibilities clearly defined and understood. Thanks to social engineering attacks, like phishing scams, people are the number one weakness in any cyber defence. Building a culture of cyber security awareness is therefore the single most important thing any organisation can do to minimise cyber risk.

An ongoing challenge

Cyber risk is not something that will just fade away, especially not for super funds. Rich in both data and financial assets, they will always prove an irresistible target for everything from sophisticated nation-state attacks to opportunistic ransomware campaigns. And as threat actors become more adept and armed with ever-more advanced tools, the regulatory pressure on funds to improve their defences will only increase.

The good news is that the threat actors do not hold all the aces – there are cutting-edge and flexible solutions, like Orbit Risk, that enable constant vigilance and provide real-time information about existing and emerging threats. Talk to me or the team to find out more.