The superannuation industry has the highest frequency of material cyber incidents but the lowest preparedness for cyber-crime related incidents, according to Deloitte.
“If you look at why it’s attractive, it’s the numbers,” said Tommy Viljoen, leading partner, cyber security strategy and governance at Deloitte Australia. “It’s not like a bank account, where you hold a certain amount of funds in that account. When you talk about rollovers, there are no limits,” he said.
“Also, from a cyber perspective, the owners of the accounts are not reactive. You don’t go and look at your super balance on a daily basis. You may look at the end of the year and notice that you have a problem, but that’s way too late. It’s ripe for the taking from a criminal perspective.”
Recently, Deloitte issued a report into risk management of cyber crime in the superannuation industry. The report pointed to the unique characteristics of superannuation that lent itself to becoming an “attractive” target for cyber-crime – over sized money pools and low member engagement.
The report also cited a complex third-party environment as a risk. Further, the industry focus on improving member experience with online member portals and mobile apps increases “the inherent risk that an attacker can access member information or initiate transactions if they have a member’s log-in details. Faster payments mean that outbound payments or rollovers can be made “promptly, with limited human oversight and can reduce the time window for detection of a fraud or recovery of funds paid in error.”
“Add to that the fact that the superannuation industry has traditionally not had the same level of investment in cyber risk mitigation as the banking industry,” Viljoen said. “Partly because a lot of processing was manual and they could control large amounts of it manually … as it gets more digitalised, and payments increase, so that ability to carry out the manual checks reduces.”
This isn’t the first time that alarms have been sounded regarding cyber-crime and superannuation. In 2016, the Australian Prudential Regulation Authority (APRA) conducted a survey into cyber security. Just over half of all survey respondents – 20 regulated entities and one service provider – experienced at least one cyber security incident in the 12 months leading up to the survey that was “sufficiently material to warrant executive management involvement.”
APRA questioned 37 regulated entities and four significant service providers across their regulated categories, and 75 per cent of the super funds surveyed said they experienced a cyber security incident. By comparison, 46 per cent of life and general insurers had a cyber-security incident, and 44 per cent of authorized deposit taking institutions (ADIs) had an incident over the same period.
There has to be a variety of responses from super funds, Viljoen said. First up, education for the funds and their staff so that they’re aware that as cyber-crime practices change, they’re able to evolve to become what Viljoen calls “the human firewall.”
Next is strong cyber-controls.
“I talk about two-factor authentication being both technological and physical,” he said. “Can you contact the member and say, are you comfortable with this? A second line of check in becomes very important. “
Then, the third area of focus should be on analysis of data to identify unusual patterns of behaviour.
“If someone’s email address is changed, if their passwords change, when you have those occurring – that’s high risk,” Viljoen said. “You need to escalate the level of checking you do to ensure that this is not a criminal activity.”