Getting cyber security right

What can superannuation funds be doing to respond to the growth in cyber security threats?

Cyber security is one of the greatest challenges of our time. At Iress’ Super Efficient Conference in Melbourne, the Hon. Clare O’Neil MP, Minister for Home Affairs and Minister for Cyber Security, reflected on the increasingly challenging macro environment for cyber security and the opportunities for Government and industry collaboration. Dr Martin Fahy, CEO of the The Association of Superannuation Funds of Australia (ASFA), and Paul Giles, Iress’ Head of Superannuation - Strategic Markets, continued the discussion with some practical tips for the superannuation industry. Here are the key takeaways.

An issue of national importance

Every sector of Australia’s economy is targeted by cyber attacks, with several recent well-publicised incidents reinforcing that we need every sector, business, and part of the Australian Government to take this threat very seriously. Critical infrastructure networks, of which the superannuation sector is a big part, are being targeted by a range of malicious cyber actors, and a cyber security incident affecting superannuation could be devastating for the victims of the attack, for trust in Australia’s digital economy, and for the reputation of the company involved.

Australia’s financial services sector needs strong risk management strategies to protect the security of their systems and their clients’ data. The Australian Government recognises that the superannuation industry cannot face these threats alone - it’s only through strong collaboration that we’ll be able to safeguard our digital way of life.

Industry and Government collaboration on cyber security

The industry is doing a huge amount of work to improve cyber security across superannuation, and you’re not in this fight alone. The Australian Government is committed to working with the financial services industry to develop the new 2023-2030 Australian cyber security strategy, which establishes a vision for harnessing the opportunities of Australia’s cyber security sector together. The Australian Government will be undertaking comprehensive consultation with the financial services industry to inform this strategy.

The cyber and infrastructure security centre

In 2021, the Australian Government established a dedicated cyber and infrastructure security centre (CISC) to engage with the owners and operators of Australia’s critical infrastructure and uplift security. Financial services businesses, including superannuation, are very important partners for the CISC. The CISC aims to improve the security of Australia through an approach that balances industry obligations with public and private sector partnership. Some of the initiatives include:

  • Requiring owners and operators of our systems of national significance to comply with enhanced cyber security obligations (setting a baseline for how cyber security is protected in these pieces of infrastructure).
  • Working in close partnership with pieces of security-relevant infrastructure to ensure they’re prepared to respond when hit with a significant cyber attack.
  • Cyber incident reporting obligations that require entities to report cyber attacks to the Australian Government, so they can have a good understanding of what attacks might be coming down the pipeline.

The CISC recently developed a financial services and markets sector risk assessment advisory, which provides guidance on risk assessment approaches.

Methods of Government and industry engagement

The Trusted Information Sharing Network (the TISN) is the main way that the Australian Government and industry engage to enhance the security and resilience of critical infrastructure. Members of the TISN banking and finance sector group are supporting their organisations to boost security and resilience. To become a TISN member, you can visit CISC and register your interest. The superannuation sector can also work with the Australian Cyber Security Centre (ACSC), which is another important partner in the fight to secure our capability and respond to cyber threats.

In addition to Government collaboration to help front-foot cyber security, super funds should also consider the following tips:

Have a clear plan

Make sure you’re clear about your business continuity plan (BCP) and you have incident response plans in place. Your plans should clearly map out the processes to follow in the event of a cyber attack, and the people and logistics involved. Consider the following questions and use them in your incident response planning: In the event of a cyber attack, who will notify the regulator? Is everyone in your team clear on your breach notification requirements? When would you shut down your key services? How would you manage your key service providers? Who has decision rights? Where can you seek legal advice? How will you keep a record of what happened?

Stick to your strategy

You’ve made your plans for a reason - now stick to them. It’s important to regularly run incident response simulations with your Board and Trustees so that everyone is aware of the agreed processes to follow and what needs to be done in any likely scenario. ASFA is looking to provide an industry-wide simulation that gets third parties such as custodians involved.

Establish protocols with third parties

Establish protocols with third parties, particularly your custodian, so you can continue to operate in the market in the event of a cyber attack. Pay attention to your cyber insurance obligations and the notifications you might need to provide to your various service providers. Make sure you seek out good expert advice early and set it up so you can tap into it when needed - this is particularly important when you’re developing your communications and media response plans. Ensure you have real clarity on the nominated spokespeople for the business and a good understanding of the political landscape.

Above all, don’t be afraid to get help from the community and the industry networks available to you. The ASFA cyber forum meets four times a year to address regulatory issues and recent developments in cyber security, in addition to sharing learnings around what others are doing, what they’re seeing, and the challenges they’re having. For more information or to get involved, visit the ASFA website.

Get moving to Iress Super. Chat to us today

Iress’ Super software takes the admin software you love and wraps it up with everything else you need to make Super happen in one platform, providing everything a fund needs to run more efficiently and securely. Our software will help you retain and win new members with digital-first technology that drives operational efficiencies and scalability for funds, members, employers, and trustees. For more information, visit: