Superannuation funds need to create a stronger culture of information sharing – and the infrastructure to support it – to mitigate both the risk and damage of cyberattacks, according to Michelle Bower, CEO of the Gateway Network Governance Body (GNGB).

The superannuation industry-owned not-for-profit manages the integrity of the Superannuation Transaction Network (STN) – the data infrastructure that transports contributions and rollovers between employers and superannuation funds.

“There’s pockets of sharing,” Bower tells Investment Magazine.

“It’s cultural; for many years, and this goes across financial services as well, we’ve been taught not to share and to keep everything private. We need to break that barrier and get leadership in these organisations to set the example and empower people to share. That has to be part of people’s job descriptions to alert their peers that this is happening.”

Cyberattacks on super funds during April, which resulted in $750,000 being taken from AustralianSuper member accounts, was defined by confusion among both stakeholders and observers as to exactly which funds had been attacked, and how.

“The historical view has been ‘I don’t want to share my dirty laundry’,” Bower says.

“There has been concern about brand damage and reputational damage doing that. But we’re very clear that there’s a difference between sharing on an operational level to protect others versus going public about what has happened to your organisation.

“Inevitably, where there’s a member impact – where members can’t access their accounts or there’s an outage of a portal or something or can’t even see a fund’s website – the media are going to find out about that. In some ways we’re living in the dark ages – we have to get out in front of that communication as opposed to sitting behind the National Office of Cyber Safety (which manages responses to cyber security incidents of national significance or interest) and saying ‘nothing to see here’.”

While the government has restrictions on the information it can share – which played a role in the incident in April – so funds are sometimes limited in what they can tell each other, Bower believes that the “perception” of legal barriers against sharing is stronger than the barriers themselves.

And with the Financial Accountability Regime creating the possibility of penalties for breaches of prudential standards, it’s in the best interests of accountable persons to share information wherever they can.

“Best practice looks like one network across this sector for sharing information during an incident,” Bower said.

“Often we don’t know what the impacts might be on other organisations, so there has to be no obstacles to decision making during the heat of the moment. We need to establish that up front – one single platform for sharing. We also need to be better at communications as an industry – particularly when multiple entities are impacted, but even when they’re not.”

“(When there’s an incident) it’s the superannuation brand that’s often damaged, not necessarily the fund brand. Even when it’s not multiple organisations, you’ll get a spike in contact centres with members calling.”