UniSuper has experienced major website disruptions that have made its online account services, calculators and application forms temporarily unavailable.
In a letter to members on Thursday night, seen by Investment Magazine, the $130 billion fund said the issue originated from a third-party service provider. The then-unnamed provider was confirmed to be Google Cloud on Friday in a statement on UniSuper’s website.
The member letter said the issue was not a result of a malicious action or cyber attack, and no UniSuper customer data has been exposed to unauthorised parties.
“Unfortunately, this has caused disruption across the business. We are working around the clock to get systems back online swiftly, safely and securely,” the letter said.
“We are in the process of finalising how we are able to process member requests during this time in a way that is fair and equitable for members, as you expect and deserve.
“The mechanism for this may vary with the type of request, and we will provide further details when we can.
“As always, our members are front of mind, and we are prioritising the restoration of systems required to provide services to members.”
A UniSuper spokesperson confirmed on Friday that the issue is ongoing, and no service restoration timeline has been provided at this stage. Social media posts from members suggest the issue could be present for the past three days.
UniSuper migrated all non-production workloads from its data centres to Google Cloud last year.
“We need to be able to leverage cloud providers to be able to do that quickly and be able to do it in a way that presents an appropriate risk mitigation for us,” UniSuper’s head of architecture Sam Cooper told iTnews at the time, suggesting the move was essential for the fund to “scale our environment quickly”.
The outage came as APRA is putting pressure on funds to build organisational resilience. The regulator’s deputy chair, Margaret Cole, warned that with the commencement of Prudential Standard CPS 230 on operational risk management in mid-2025, funds need to start preparing now.
“Any trustees who have yet to start implementation will be on a fast track to non-compliance,” she told the Investment Magazine Chair Forum in January.
This includes identifying the resources needed to control operational risks, which will be substantial against each “critical operation” – that is, where an operational failure would have a severe negative impact on members.
The consequences for failing were seen on NGS Super last year. The $14 billion industry fund was hit with additional licence conditions after suffering a cyber attack, and is now required to use an independent third party to provide assurance around remediation activities and conduct an operational effectiveness review.
Importantly, both internal and external teams will be held accountable.
“If you outsource processes supporting any critical operations and something goes wrong in the delivery of service to your members, you remain on the hook,” Cole said.
This article has been updated since publishing.