Search form


Cyber security experts need a seat at the super fund board table: Thomas Murray

Thomas Murray | London | 22 November 2022

Roland Thomas

Corporate Development Manager
Thomas Murray

Cyber attackers are constantly searching for vulnerabilities in their targets’ networks and supply chains, making board vigilance a priority, according to UK-based global risk firm Thomas Murray.

The 28-year-old firm’s corporate development manager Roland Thomas said Australian super funds need a competent IT team which is empowered by the executive, to remain resilient to cyber-attack.

His advice comes in the wake of high-profile attacks this month on telecommunications provider Optus, insurer Medibank Private and energy retailer Energy Australia in which customers’ personal information was accessed, prompting the Federal Government to propose increased penalties from $2.22 million to $50 million for serious privacy breaches.

Thomas Murray works with banks and financial institutions globally, including many Australian super funds, on their due diligence, post-trade and outsourcing risk. It launched its AI Threat Intelligence and Cyber Security Rating platform last.

Mr Thomas’ advice to Australian super funds is to garner security competence from the board level down as well as consult with third-party experts.

“Empower your security team. Give them a seat at the top table, if they haven’t got one already, and make sure (directors) are talking to them and make sure that it is in an investment context, that it isn’t just seen as a back office function,’’ Mr Thomas said.

Training all staff and directors in basic security hygiene and testing their competency, was also vital, he said.

“You want to be doing regular training as well as simulated phishing campaigns and other breach and attack simulations, so that you’re building security on the one hand and testing real-world outcomes and responses on the other,’’ he said. 

A third tip for trustees was hiring an outside adviser who kept abreast of the latest cyber-attacks, trends and developments. 

”Knowing when to outsource, knowing when to choose an external partner both on the technology side and the consultancy side is very important because there are massive efficiencies to be made and you don’t need to reinvent the wheel,’’ Mr Thomas said.

An IBM Cost of Data Breach Report showed the average cost to Australian companies for each data breach was $US2.92 million, up from $US2.82 million, in the year to March 2022.

Mr Thomas said the latest trends in cyber attacks on financial institutions were phishing attempts through their supply chains with cyber criminals searching for vulnerabilities in third-party providers and suppliers’ systems.

“Threat actors, in turn, are targeting supply chain companies and software providers rather than large companies, where they have links to financial institutions and their security might be weaker,’’ he said.

“There’s an ability, as well, to breach numerous financial institutions through one third party that they didn’t know that they had in common. So, in the super funds industry, you have to think about where there’s potentially systemic vulnerabilities”.

An example of systemic data breaches was with the 2020 malware attack on US software company SolarWinds whose enterprise software is used by thousands of organisations and government agencies around the world, he said..\

Another was the 2021 attack on Microsoft Exchange data servers which gave hackers backdoor access to more than 30,000 US organisations’ networks, emails and calendar invitations.

“Supply chain attacks are growing in frequency and as a super fund, (that is) exposing your members, exposing your systems, to both your critical service providers and basically any group you’re touching.” 

Meanwhile, consolidation in the super industry poses increased cyber risk. Consolidation has seen 15 funds merge in 2021 to 175 overall, and forecasts are that just 75 Australian super funds will exist by 2025.

Mr Thomas said Funds looking to merge could be “inheriting” vulnerabilities or some kind of legacy breach which could inadvertently be integrated into the newly-formed fund.

Including IT teams in any merger or acquisition deals was therefore important, he said.

“Are you going to be one of these companies where the last people to hear about an acquisition or merger is the IT department? The poor men and women have to work very quickly to try and integrate these things,’’ he said.

Thomas Murray Cyber Risk continuously assesses organisations’ public networks for breaches and vulnerabilities that could be exploited, rating companies from 0 to 1000.

It supplies the world’s largest banks, funds and stock exchanges and small organisations.