The successful cyber-attack on Optus, Australia’s second-largest telecommunications company, is a wake-up call for all of us.
No organisation is immune from cyber criminals, and the super fund sector in particular needs to recognise itself as a target. Financial services firms are 300 times more likely to be the victim of a cyber-attack than other companies, with cyber-crime poised to wipe approximately US$10.5 trillion off the global economy annually by 2025, up from US$3 trillion in 2015.
Super funds are high-profile, high-value targets for potential threat actors – and, unlike the banks, they may have historically underinvested in cyber security. APRA’s prudential practise guide CPG 234 “Information Security” references the importance of appropriate oversight.
The job of mitigating cyber risk has got to be top-down. Trustees do not need to be cyber experts, but they are mandated to ensure proper governance of funds, central to which is risk management. A modern risk management framework needs to thoroughly address cyber risks. Trustees need to take security seriously, knowing what questions to ask and which metrics to measure.
The key point is not to be overwhelmed. Attacks like that on Optus are common and ransomware payments are increasingly common, but even super funds with small teams can take huge steps to protect themselves and, ultimately, their members.
Recognise that you are a target
Non-executive board members, the CEO and the c-suite are likely to be key targets themselves. This is due to their access to privileged information. Basic steps like regular training, restricting user access, and password behaviour can make a huge difference.
Establish if the fund’s public infrastructure is secure
The Optus breach appears to have been the result of an API for an Optus customer identity database being opened to a test network that was exposed to the internet. You do not need to understand the specifics of access control to ask the right questions, in this case: Is the fund continuously monitoring its public IT infrastructure? Either your IT team will be doing this in-house – in which case they should be able to talk you through their monitoring framework, data sources, risk quantification and remediation processes – or they use a reputable threat intelligence provider.
Education and communication
Arguably the most important step is education – making staff and members aware of the increasingly sophisticated methods employed by threat actors, and the methods and resources available to stay ahead. IT Security is the responsibility of every employee.
The 2021 data breach at Sequoia Capital showed that no firm, however large, is immune from a phishing attack. Employees with access to privileged client and investment data are prime targets for hackers seeking to exploit sensitive data.
Communication between InfoSec and management is key. IT Security teams need to explain complex risks in a simple and quantifiable way, so that management can authorise and resource appropriate action. There should be Cyber Security competence, if not expertise, at the board level to ensure effective scrutiny and oversight.
Manage your exposure to third parties
Like most modern companies, super funds are exposed to a network of interconnected third parties, including custodians, asset consultants, administrators, technology providers and other common suppliers to the superannuation industry. Funds are likely to have exposure to private equity firms and others asset managers.
Developing a framework for monitoring third-party cyber risk is essential, from calculating inherent risk through to performing due diligence, accessing third-party security ratings and escalating with potentially high-risk vendors. According to a December 2021 report by Coller Capital, almost three quarters of Limited Partnerships plan to ask for cybersecurity risk assessments of General Partnerships’ management companies in the next few years, and half expect to ask the same of portfolio companies.
Develop an incident response and disaster recovery plan
In today’s security landscape it has become an axiom that firms need to treat a successful hack as an inevitability, not a possibility. Teams need to be prepared, with a strong understanding of their roles in the event of a successful attack, and funds should have a tried and tested response plan in place. This will include:
- Crisis management education and awareness at a board level
- Business continuity planning in place for all staff
- Technical response plan for IT Security staff and outsourcers
No-one knows where the next major breach will happen. As a trustee, by becoming aware of the risks and developing the ability to properly scrutinise your fund, you will be helping immeasurably to reduce the risk to your members’ data and assets.
Super fund boards have a responsibility to manage risk. Recent events have shown us that cyber security needs to be taken seriously.