APRA yet to publicly act on cyber attacks
Australia’s superannuation regulator, the Australian Prudential Regulation Authority (APRA) has thus far remained silent on the cyber attacks which have hit multiple major funds but, if recent history is a guide, then they can expect the imposition of additional license conditions.
APRA in early December, 2023, imposed additional license conditions on NGS Super after identifying what it described as “significant deficiencies” in the funds cyber controls.
The regulator saw those additional license conditions as necessary following a March, 2023, cyber incident which it said “saw a significant amount of data being lost and NGS’ systems being compromised for a period”.
APRA’s approach is likely to be coloured by the fact that it is less than a year since it wrote to superannuation funds urging them “to stay vigilant and proactively implement strategies to mitigate the risks and impact of potential cyber-attacks”.
The funds identified as being targeted in what is believed to have been a coordinated cyberattack were AustralianSuper, Australian Retirement Trust, Rest, Hostplus as well as Insignia Financial’s MLC Expand platform.
Insiginia Financial, confirming the nature of the attack, said that it “appears to involve a malicious third party undertaking an activity known as ‘credential stuffing’”.
Credential stuffing is a cyberattack where attackers use stolen username and password combinations, often obtained from data breaches, to gain unauthorized access to user accounts on other platforms, leveraging the fact that many users reuse credentials across services .
While it is understood that no member funds were actually lost in the 2023 attack on NGS Super, AustralianSuper last week confirmed that its members lost $500,000.
The cyber attacks have prompted claims from the cyber security sector that the industry needs to adopt a collaborative approach.
Software@Scale chief executive, Louis Droguett said the attacks had exploited compromised member credentials.
“These attacks weren’t about breaching firewalls, they exploited compromised member credentials, a clear blind spot in our cybersecurity landscape,” he explains. “This isn’t a failure of multi-factor authentication (MFA) or firewalls, it’s a failure to detect what’s already leaked,” he said.
“The threat was visible but not acted upon. This demonstrates a critical need for proactive dark web monitoring. Knowing when member credentials are compromised allows funds to take immediate action, before attackers can exploit them.”
This is horrible but hardly surpising. Anybody who has dealt with these funds knows how poor their cyber security protocols are. They regularly ask members to submit mountains of sensitive information including TFNs to general enquiries email addresses.
I wonder if APRA/ASIC will sue the super funds like they have sued small advice practices for far smaller cyber incidents…
Insignia will be fined and additional licensee conditions added. The industry funds will have no penalty at all. Compare the pair.
If recent history is a guide… regulators will wave a wet lettuce leaf at the union (“Industry”) funds, while taking enforcement action against all other funds. They will also try to find a way to shift blame to innocent professional advisers, and persecute them most heavily of all.