The superannuation industry’s twin regulators have warned super funds to be ready to deal with the unexpected and prepare to deal with escalating incidences of cybercrime and scams. 

But ASIC and APRA have warned the Investment Magazine Chair Forum that many funds are unprepared to cope with the expected onslaught, with work by the regulators revealing gaps in cyber defences and a lack of meaningful communication with members about the nature of scams and the remedies available to them. 

Funds have also been advised to make better use of complaints received by members as a source of early insights into where things may be going wrong. 

ASIC Commissioner Simone Constant told the forum that the Australian Consumer and Competition Commission’s Scamwatch service received more than 800 reports related to superannuation last year. ASIC has benchmarked the websites of superannuation funds against the big four banks for communication to consumers about scams, and found them wanting. 

She said the big four banks “generally scored pretty positive results over 80 per cent of the time, which is probably not surprising, given they now have to protect Australians from scams by law”. 

However, super funds generally scored between 40 and 60 per cent, “so not even a passing grade in some cases, and some of it’s really basic stuff”. 

She said only nine funds’ website clearly defined what a scam is, one in three failed to provide messaging on common signs of a scam; only two of the 47 funds offered members fraud or scam-alert subscriptions; and only one in five provided a dedicated telephone or email contact for members to report potential scams or fraud. 

From ASIC’s perspective, fund communication with members is “really important”. When something goes wrong then education, information, access to their fund and clear communication are critical in members understanding what’s happening  

“We also know from all the research, and see some of the poorer outcomes when people have had harm, that a quick response and being able to contact the right person and do the right things can at least cauterise, if not even get back some of the money that’s been lost.” 

APRA deputy chair Margaret Cole told the forum that funds had few excuses for not foreseeing the likelihood of concerted cyberattacks on members’ assets and data. 

“Last year’s credential-stuffing attacks… took the impacted firms and members by surprise, but those attacks occurred six years after APRA had introduced baseline information security obligations for APRA-regulated entities, and they followed repeated warnings from APRA, ASIC and others that trustees needed to strengthen cyber controls,” she said. 

She said APRA would maintain heightened supervision of the funds affected. 

“Last year’s cyberattacks expose persistent weaknesses and authentication practices across the industry. With cyber and fraud instance on the rise, it’s frustrating that some trustees have dragged their feet to comply with APRA information security standards, CPS 234 – which is not the ceiling, by the way, it’s the floor.” 

Contant said ASIC is conducting a review of how super funds handle complaints to identify and address current and future service issues, and while it’s early in the process the results have not been pretty. Like with implementation of the Retirement Income Covenant, some funds are a lot further ahead than others, and size is not a predictor of progress. 

“Incredibly, five of the 10 trustees that we are looking at in depth have not identified a single systemic issue from analysis of their complaints data over our period of review,” Constant said. 

“So let’s just sit with that for a minute. These trustees received thousands of complaints, but they’ve told us they haven’t identified one single systemic issue through their regular review of complaint data. 

“And at least one trustee actually failed to analyse their complaints data at all.” 

Constant told the forum that “it’s not a moonshot to say that super will one day be – and one day not too far away – the biggest part of our economy”. 

“That will make you stewards of more than Australia’s retirement future, but of our economic future too – custodians of stability and confidence.” 

Constant said scams and fraud were rated by fund trustees as relatively low priorities a year ago, but that changed quickly. 

“I was up here at the time telling you, I’ll admit pretty sternly, that you needed to look at your controls,” she said. 

“Then fast forward two months, and a number of super funds, of course, were hit with cyberattacks. We saw up to 9000 member accounts impacted, and more than half a million dollars of members money stolen.” 

The scale of superannuation – $4.5 trillion as at last September – makes it a clear target for bad actors. 

“It also means it now comes with very big obligations, and if you are to meet these big obligations to members and to markets your size, means you actually need to think differently now about your role in the system.” 

Cole told the forum that she rejected suggestions that regulations were not fit for purpose for supervising the platforms that hosted the failed Shield and First Guardian managed investment schemes, in which investors have lost an estimated $1 billion. 

“I don’t really understand that suggestion,” Cole said. 

“The place where we put the responsibilities and the obligations is on the trustee. That’s all we can do, because it’s the trustees that we regulate under the obligations under the SIS Act and our own standards. So we’ve got to place our obligations and requirements at the trustee level.” 

Cole said it would ultimately be determined by the courts whether trustees had adequately discharged their obligations in relation to Shield and First Guardian, and that “it’s not for me to step in and make that judgment beforehand”.