Can super funds mount united front cyber security?

The Australian Prudential Regulation Authority (APRA) has made clear to the superannuation sector that it needs to develop the ability to deliver a coordinated industry response in the face of a cyber incident affecting multiple stakeholders.

The regulator has made its expectations clear in the wake of an industry roundtable which involved representatives from Australia’s largest superannuation industry organisations, the regulator itself but, more importantly, National Office of Cyber Security.

The roundtable was held in July with cyber incidents targeting superannuation funds in March and April at the top of the items for discussion. Among the funds targeted in the attacks was Australia’s largest fund, AustralianSuper.

APRA’s analysis was that while the overall impact of those cyber incidents targeting individual superannuation members had been contained, “it was recognised as an indication of the system’s appeal to threat actors”.

“The timing of the incident, which coincided with market volatility, was also considered relevant to the overall impact,” the APRA assessment of the roundtable discussion said.

Without naming particular funds as laggards, APRA made clear that some funds had performed better than others in dealing with the cyber incidents.

“Entities that responded effectively demonstrated a clear understanding of their control environments, particularly around payments processes, which enabled swift action to interrupt transactions and recover funds,” it said.

“The industry needs to improve awareness of incident impact on public perception and member trust, as well as improved coordination for timely responses. Entities with clear accountability for member protection consistently outperformed others, highlighting the value of a proactive cyber security approach.”

The need for a collective approach was driven home by National Cyber Security Coordinator, Lieutenant General, Michelle McGuinness who referred to “a key tension between competition and collaboration in the cyber security space which can hinder collective progress”.

A key question submitted to the roundtable was, in the event of a cyber incident affecting multiple stakeholders – including funds within the superannuation ecosystem – who will be responsible for coordinating the industry response?”

“In the first instance RSEs and operators need to respond and address immediate threat/s during an incident. While it was acknowledged that it is challenging to identify responsibility for an overall response today’s roundtable reflects the need and an opportunity for the industry to develop this capability,” the APRA analysis said.