Regulators warn super funds on vulnerable legacy systems

Australian superannuation funds have been urged to get their act together in forming a cross-industry forum to deal with cyber-security issues.

At the same time, superannuation funds have been told they need to decommission legacy IT systems to help handle increasing cyber threats.

Both the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) have used a Superannuation CEO Roundtable to press on the funds the need to act.

The two regulators have revealed in notes from the roundtable that they had urged industry participants “to consider establishing, as soon as practicable, a cross-industry forum to discuss trends and share learnings in relation to cyb er risks and incidents”.

“While privacy, commercial and competition considerations are important, the CEOs agreed that a ‘safe space’ to share experiences would be of great benefit. APRA and ASIC are willing to play an appropriate role to encourage such discussions,” the notes said.

On the question of legacy systems, the regulators told the superannuation fund chief executives that to reduce the risk of significant compromise, trustees should have strong data and IT system governance measures that included the decommissioning of legacy systems and adequate service provider oversight”.

“Cyber incidents can have direct negative consequences for members. Trustees must make decisions which are in the best interests of their members and this includes providing members with timely and accurate communications and ensuring adequate resourcing for appropriate member support,” the regulator notes said.