Super funds have tightened security controls and surveillance systems to protect members’ data against breaches amid tighter scrutiny by the financial regulator after last year’s cyber attacks on Optus and Medibank resulting in the theft of customer data.
APRA has prioritised cyber resilience among banks, insurers and super funds as a key area of supervision this year. “Operational resilience, including cyber preparedness, continues to grow in importance as a supervisory priority, with the significant data breaches at Optus and Medibank late last year underscoring just why,” APRA chair John Lonsdale said. The regulator has had recent discussions with super fund trustees on this risk.
“Cyber security is a key priority. This is an area we’re constantly evolving in line with the threat landscape, particularly in relation to identity management,” TelstraSuper chief executive Chris Davies tells Investment Magazine.
“Following widespread cyberattacks in the community, we are currently implementing additional measures to help protect and safeguard accounts.”
These extra safeguards include performing additional security and verification checks when members transact on their accounts, requesting additional security verification details from members when they call the fund and providing members with the option to add additional security questions to their account when they call.
As a result of the Optus and Medibank attacks, Australian Retirement Trust brought forward the regular penetration test of its network perimeter to probe for vulnerabilities says chief technology officer Rod Greenaway.
“We are [moving forward with]… continued awareness campaigns with our team members, our incident response plans and prioritising investment in our digital fraud prevention technologies, with a focus on detection and response in the event of suspicious activity.”
ART has imposed two-factor authentication, access controls, fire walls, virus scanning, encryption and regular security training for staff as well increased security measures for members such as password protection and additional checks for withdrawal activity.
The funds Investment Magazine spoke to said they were investing in technology security. Though all declined to give dollar figures, UniSuper said its budget grew by 30 per cent this year.
UniSuper has a 25-person strong technology security team and security operations is outsourced to a third-party provider on a 24/7 basis. It has deployed multi-layered controls to protect sensitive information and increased member awareness through bulletins and call centres.
UniSuper head of information security Vijay Krishnan says the biggest change since last year has been the increased focus from the board and senior management which has resulted in more information sharing on how the fund is managing the increased risk.
AMP similarly has introduced extra security controls to verify identity and frequent review of security logs to detect and block suspicious activity on member accounts, according to AMP chief technology officer Felicia Trewin.
“Protecting our customers and members from cyber risks is a major focus for AMP and an area where we continue to invest to ensure best practice,” she says.
AMP also works with the Australian Cyber Security Centre, law enforcement and threat intelligence organisations.
Spirit Super reported some 50,000 members were hit by a data breach last May due to a phishing attack, underscoring how vulnerable super funds are to cyber attacks and reputational risk.
“We need to safeguard our members data as any misuse may impact them for life. Any breach is just not about the loss of money but the loss of reputation,” UniSuper’s Krishnan says.
As the competition for member growth intensifies, reputation is critical for funds to raise their profiles says Michael Swinsburg, managing partner – Australia at executive search firm Alexander Hughes, who advises wealth managers and super funds on senior executive recruitment include chief technology officer roles.
“No one wants to be a news headline for a cyber breach like Medibank. This would be more damaging to member confidence and fund reputation than poor performance on the YFYS benchmark test,” he says.
The breaches at Optus and Medibank are only a fraction of the security attacks reported. UniSuper encounters billions of attempts on its systems through automatic bots looking for vulnerabilities according to Krishnan, highlighting the enormity of the issue.
“The breaches at Optus and Medibank are only the tip of the iceberg. There would be security events happening almost every day,” he says.