Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
As APRA warns that cyber attacks against the industry are only going to increase, experts say that boards need to understand the true scope of the threat.
The Australian Prudential Regulation Authority (APRA) warned the superannuation industry in a recent briefing that it needs to step up its cyber resilience, giving the industry a hard deadline of 31 August to enable multifactor authentication and report on any material weaknesses in their security controls.
“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” APRA said in a 10 July letter to board chairs.
With more than $4 trillion in member funds, APRA has put the industry on notice – do better, or face the consequences.
Brenton Steenkamp, head of Clayton Utz cyber practice, said super board members need to realise that cyber incidents, like the recent credential stuffing attacks that got away with $500,000 from a handful of super members, should not be viewed as a one-off incident.
“Cyber attacks can exploit industry-wide vulnerabilities, which often fall outside the remit of IT departments,” Steenkamp said.
“Business leaders must therefore elevate cyber risk from a technical issue to a strategic risk, and understand not only the circumstances of an individual cyber attack, but why an attack was possible in the first place.
“Member and customer trust can be fragile, particularly when sensitive personal and financial information is compromised. Even if an organisation is not directly breached, association with an industry-wide cyber event can raise questions about preparedness and transparency.”
Doug Nixon, Clayton Utz’s risk advisory partner, added that board members need to be ready to navigate the aftermath of inevitable cyber attacks.
“Super funds are custodians of members’ lifelong savings and identity data. If a member has a poor experience with communication clarity, fraud response or access to support after a cyber incident, that can significantly influence long-term loyalty. It’s therefore important executives map members’ experiences during a cyber incident and invest in proactive support,” Nixon said.
“We know that businesses have made huge strides in terms of their cyber resilience. But the landscape is fast-evolving, and therefore leaders in Australia’s superannuation industry need to be nimble in their efforts.”
Nixon said a good starting point for super funds was a complete reassessment of their third-party due diligence where sensitive data is in play, and to make sure any contracts include audit rights, incident notifications, and cyber liability.
“In the wake of a major breach, boards should also consider whether they are truly prepared to govern through a cyber crisis. While many boards receive regular cyber risk updates, these are often backward-looking and compliance-driven,” Nixon said.
“Incident simulations and scenarios tailored to specific industry contexts can reveal gaps in decision making, escalation paths, and board engagement, and can not only test a super fund’s technical response but also any legal, reputational, and financial implications.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
