In May 2024, UniSuper members suddenly found themselves unable to access their accounts. Google Cloud, one of the world’s largest cloud service providers, had accidentally and without warning deleted the fund’s account and its backups in what the company’s CEO called an “isolated, one-of-a-kind occurrence… [that] should not have happened”. It took more than a week to restore services.

“We were able to spin up manual processes, and it was one of the key learnings,” UniSuper chief risk officer Wade Martin told a Conexus Financial roundtable hosted in partnership with Northern Trust.

“And something we took through into implementing CPS230 was to have well-established manual work-arounds for a platform-level event. Could we have done anything to prevent what happened to us? We were offline for 12 days, the post-incident review took 12 weeks.

“We went right back to the establishment of the cloud strategy, the selection of the provider, to establish whether there was any act or omission on the part of the trustee that contributed to the failure. There wasn’t. And it was established through that process that whilst there’s been cloud disruptions globally and historically, this was the first event of its kind. We couldn’t have prevented it, but we needed to respond, and we needed to take accountability for the outcome and the recovery.”

For the wider industry, the outage might have been a sign of things to come. While the outage wasn’t UniSuper’s fault, it signalled that funds now have to think seriously about not only investment performance, but the systems and infrastructure that underpin their ability to handle insurance claims and pay out members.

There were plenty of learnings from the experience, Martin said, chief among which was that “resilience and recovery are a team sport”. Everyone in the organisation has a role to play, and to approach CPS230 as only a compliance exercise is missing the point.

“I think the regulator expects our sector and our industry to adopt something like the approaches to health and safety in the mining industry, or even the retail industry obsession with customer outcomes. I think we need to become obsessed with operational resilience… yesterday’s implausible scenario is today’s plausible scenario. Our event proves that.”

And as those scenarios occur more and more often, funds must give more thought to handle them both in and outside the fund. When a number of super funds were struck by a co-ordinated credential stuffing scam attack earlier in the year, they were dealing not only with the internal disruption to services, but a storm of media and regulator attention. But there were good lessons from that too – like why compliance shouldn’t be treated as a box-ticking exercise but instead brought into a holistic risk management approach.Cbus was caught up on the periphery of the credential stuffing attack, but was able to limit its impact. Still, its CEO, Kristian Fok, said that more needs to be done to prevent or negate future attacks, especially as the size and sophistication of those attacks increase.

“I think the industry has gone from people sort of sniffing around randomly, to looking for a way to take something and run it across the whole industry,” Fok said.

“We experienced a copycat attempt; when the larger thing was going on, they tried to do the same thing with us. We had member numbers, not emails. So they couldn’t do it as well, but we still saw that. So it’s absolutely imperative that we have an industry wide solution, and the CEOs have been sort of talking together about trying to do that. The sharing of information is critical, and it has to be industry wide, and that will help people to be a bit more proactive.”

Insignia chief risk officer Anvij Saxena agreed, saying the super industry “didn’t live up to regulatory expectations” during the credential stuffing incident. While funds mostly handled their internal responses well, they fell short when it came to communicating what was going on to external stakeholders.

“I think on one level there is very close connectivity, but I think on another level – a more strategic level – there’s more work to do on collaboration,” Saxena said.

“I think cyber is just the edge of a bigger wedge; I think what we’re seeing in the super industry generally, and I’ve seen post-Covid in particular, is that community expectations have gone through the roof. What we all thought passed the pub test five years ago is no longer the pub test today.

“This is where super’s opportunity and risk lies. I think we have to start moving towards a zero-defect mindset, as opposed to accepting that, just because as an industry we are inherently complex, it’s okay for things to keep going wrong.”

Part of that move to a “zero-defect mindset” could involve extending training and stress testing beyond the fund to encompass third-party service providers and stakeholders, according to Raelene Seales, CEO of Prime Super.

“It’s great to see the super industry dragging third parties into the resilience testing as well and having them involved in that,” Seales said.

“I’ve been involved in banks and they’ve been doing that for years; insurance companies have been doing that for years. I think the only way we can start getting third parties to really own their obligations in this space is to say ‘you are part of our business continuity plan training; you are in the office with us when we are doing that resilience testing’. And that then will really hone their skills.”

Natalie Previtera, CEO of NGS Super, said that super funds must move away from a fixation on trying to get everything for the lowest possible price and invest more in the relationship with their outsourced service providers, particularly in administration, to ensure that more cracks don’t appear in the system.

“We’re obviously very focused on the net benefit we’re delivering to our members, but we do have a responsibility with the service providers we’re working with to make sure we aren’t grinding them into oblivion.

“We want to see innovation into the future, because our member expectations are only increasing,” Previtera said. “We’ve got a range of different threat actors out there who are looking to crack into a really promising system here. I think CPS230 has certainly sharpened the mind, but we’ve got to start thinking as an ecosystem rather than just
internally.”

Seales said that the price pressures impacting investment managers are starting to be seen in administration too, which could have a significant impact when regulators and members are demanding higher quality services. An unprecedented level of price and product variation is emerging

“That suggests to me that market share is being bought, and it’s something we need to approach with a high degree of caution.

“I don’t have a view on who’s good and who’s bad, but there is definitely a lot of market buying occurring in the admin space, and what’s driving that is fee pressure and admin costs. Let’s face it – none of our costs are reducing. They’re all going up from an administration perspective.”

That change requires a wider shift in mindset around costs, with funds and regulators understanding that what it takes to build a world-class system can not necessarily be accomplished with bottom-shelf prices. 

“We need resilience. We need to not shy away from innovation. We need to have great service providers who will have long-lasting relationships with us. We need to reward people who are taking a little bit of risk in that area so we can do things differently.”

Leon Stavrou, Northern Trust head of Australia and New Zealand, said that funds must also learn more about how their service providers think about their own business rather than just the kind of service they can expect, or risk being caught flat-footed when change sweeps a particular industry or when a key provider shuts up shop. 

“We outsource as well,” Stavrou said. “When I think about our outsourcing relationships, the worst thing that can happen is that that service provider to us is not investing in their business.

“And so it’s incumbent to understand what their strategy is, how we can actually inform that and help them with that strategy to make them successful, so that we’re not finding ourselves in a situation where we’re having to find another provider because their business isn’t viable. We don’t call them vendor relationships, we call them strategic partnerships, and invariably, they’re two-way.,

That’s particularly pertinent in custody, which has seen massive change as a result of super fund consolidation, with a number of market participants – including the venerable NAB Asset Servicing – exiting.

“The question for me is how do funds understand what is the strategy of these business that you’re outsourcing work to, and how can you work with the custodians and their business to make them successful?” Stavrou said. “Moving custodians is a big undertaking – and  it should be a strategic decision rather than something that is forced as a result of a market participant exit.”

Internalisation

But as more funds bring investments in house as a result of fee pressure and the scale that size affords them, they are also internalising the operational risks associated with them. Stephen Reilly, chief operating officer at HESTA, says the fund has taken a “slightly different approach” than others to building flexibility into its operating model, primarily around how it integrates and distributes the data it uses for decision making.

“That way we can de-componentise what we get from our custodian partners, and then when it makes sense, from a net benefit point of view, decide to bring some functions in-house. We’re doing more of the Treasury functions than we used to do. We’re doing more of the data analysis than we used to do, but then we still lean on our custodial partnerships when we think that makes a net benefit difference overall.

“When you look at what we’ve done with internalisation, it’s quite a different model to others. We’ve been very quantitatively driven so that the internal team have the ability to respond in the very short term in parallel with what’s largely been a long-term investing philosophy. We’re able to make those trade-offs for flexibility and decision making.”

As Aware Super went down the road to more internalised investment management – though it still runs a hybrid model with some investments outsourced – it was forced to confront an operating platform installed back when it was still in double digit billions.

“When we looked at the systems that we were operating on, we knew they weren’t fit for purpose,” said Michael Clavin, head of income and markets at Aware Super.

“Areas that needed upgrades included our data warehouse, our operating platform to support listed and unlisted assets, and some services we traditionally relied on custodians for: mainly performance attribution. Those weren’t fit for purpose for where we were going.”

To that end, the fund began Project Odin, an uplift of its internal investment platform to help its investment team make “timely and accurate decisions with data they trusted”. That meant transforming the data it was getting from its custodian and selecting outsourced providers for data services, its listed and unlisted operating platform, and performance attribution.

“I think if you’re a defined contribution fund with a growing post-retirement member segment as well as growing individual needs of members – these needs can lead to very complex investment strategies. We’re not like other pension funds in the world; we resemble complex, multi-asset investment managers, and we need to act more like them when it comes to systems and data,” Clavin said.

“I think what we didn’t do well enough in the past was operational system upgrades were run as projects, and when that project was done we didn’t budget or contemplate further investment in the platforms. What we’ve learned is to make sure you have a constant budget to look at your operating model and evolve it to the needs of what you’re investing in now and in the future, as well as the needs of the regulator and the needs of your members while leveraging changing technologies like AI.”