Hard on the heels of the Optus and Medibank hacks, financial regulators are warning that superannuation funds are also a target.
As unsettling as the Optus and Medibank breaches were, they did not involve direct loss of customer money. But a breach of super fund security could put your retirement savings at risk.
The danger was one of several topics discussed at the annual Association of Superannuation Funds of Australia (ASFA) conference in Brisbane. General manager of the Australian Prudential Regulation Authority (APRA) Katrina Ellis outlined her concerns about the potential for fraud in superannuation.
Ms Ellis said the risk of security breaches on the scale of Optus and Medibank was increasing and needed to be tackled with haste.
“Luckily, there hasn’t been a material cyber incident in super so far, but our work highlights the need for a broad uplift in cyber risk management,” she said.
APRA will be proactive in this regard, with Ms Ellis signalling an intention to assess all APRA regulated super funds in 2023. This will be achieved through independent assessments via the Prudential Standard CPS 234 Information Security.
Introduced in 2019, the standard aims to ensure that APRA-regulated entities take suitable measures to guard against security incidents such as cyber attacks.
APRA was not the only authority whose focus at the conference was on cybersecurity. The Australian Securities and Investment Commission (ASIC) also emphasised the need for heightened awareness and safeguards in the superannuation and the financial services sector in general.
ASIC commissioner Danielle Press said: “I want to briefly touch on a topic raised by Katrina – cyber and fraud. One of ASIC’s strategic priorities across the financial services sector is to drive good cyber risk and operational resilience practices and act to address digitally enabled misconduct, including scams.”
While not directly referring to Optus or Medibank, Ms Press outlined ASIC’s worries about breaches in 2022: “Recently, we’ve seen cyber attacks affect the integrity and efficiency of global markets, and in turn trust and confidence in service and product providers.
“ASIC will continue to work closely with APRA and other regulators, regulated firms, and government on these important issues … We have a particular interest in how trustees deal with consumers who might be impacted by cyber issues and scams.”
Ms Press acknowledged that tightened security may have an impact on those legitimately trying to access funds.
“It’s critically important that you can balance access to information and ease of use, while ensuring members are protected,” she said. “That’s a hard balance, particularly when you think about access to funds paying out death benefits.
“We’re seeing a lot of noise starting to come up about how quickly or not quickly we’re paying out death benefits, and rollovers in this industry.”
Ms Press gave assurance that work on improving security would be collaborative: “ASIC will continue to work closely with APRA and other regulators, regulated firms, and government on these important issues.”
Meanwhile, the federal government is also overhauling other aspects of security following the Optus and Medibank disasters. Home affairs minister Clare O’Neil said the Optus and Medibank hacks highlighted flaws in laws introduced by the former Morrison government.
“That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted,” she said.
Ms O’Neil said the Albanese government would completely overhaul the original cybersecurity plan. That strategy will entail the home affairs department instituting a national cyber office, to be led by a new coordinator for cybersecurity.
Were you affected by the Optus or Medibank attacks? Are you concerned about security weakness in the super industry? Why not share your thoughts in the comments section below?
Also read: How to spot phone scams before they ruin you
Thankfully we have our own SMSF