Cyber security priorities for superannuation funds
It should come as no surprise that information security and data security concerns are a top priority for superannuation funds. In May 2023, superannuation fund CEOs attended an Australian Prudential Regulation Authority (APRA) and Australian Securities and Investment Commission (ASIC) roundtable. At the roundtable, fund representatives learned how to build cyber resilience into their operations, shared their approach to the information security challenge, and acknowledged the importance of protecting the growing volume of data held and accessed by funds, particularly in relation to personal information.
Multiple data sources and manual touch points
Super funds are complex financial services and generally rely on multiple IT systems and a high – and ever increasing – volume of data. Automation is one way that manual touch point (MTPs) are being removed, to bring efficiencies to portfolio rebalancing and other aspects of superannuation fund management.
Recent research by JP Morgan reveals that this is an ongoing and high priority challenge for the industry, with funds seeking to amalgamate multiple data sources from data providers – most funds said they had 6 to 10 data sources.
According to their research, a shift is occurring, with funds replacing manual processes, Excel spreadsheets and email with more secure, dedicated software solutions.
9Yards Senior Consultant, Tatiana Konnova agrees, saying that for banks and superannuation funds alike, incomplete, limited or outdated data could trigger wrong and untimely predictions, leading in turn to weakened defences against external threats, as well as human error amongst internal staff.
She suggests that a commitment to a strategic planning process and working to a framework of best practice will help to mitigate the risks that sometimes come with upgrading or updating data systems.
The need for cyber resilience
In their report on the roundtable, APRA and ASIC identified cyber resilience as a key concern for superannuation funds, with a focus on data security.
“…the frequency, breadth and scale of cyber-attacks is escalating rapidly. As a result of growing scam, fraud and cyber threats, it is crucial that all superannuation trustees have adequate measures in place now to prevent, detect and respond to these threats.”
CEOs attending the roundtable identified that they were improving cyber resilience by:
- reviewing and improving their data management plans
- improving cyber knowledge and capability of internal stakeholders, including Boards
- developing and testing their response plans to make sure they are prepared for an incident.
This aligns broadly with the financial sector’s use of data analytics to manage risk, through:
- risk modelling
- credit risk analysis
- fraud detection, reduction and prevention.
Data analytics is a powerful tool for risk modelling across all assets. It can reveal how much it will cost, what returns might be expected, and what additional risk might be created … all before a decision is made. For super funds, with multiple data sources and layers of complexity, it’s a specialist skill.
9Yards Principal Consultant and Director Phil Yeardley agrees. “The most important consideration is to work with someone who has the experience and skills to give you confidence you’re in safe hands.”
Cyber security lessons learned
Regulators at the roundtable shared lessons learned from recent cyber-attacks in Australia, in the superannuation sector and elsewhere. They identified the following priorities:
- strong data and IT systems governance to reduce the risk of systems being compromised. Measures include the decommissioning of legacy systems and good oversight of service providers.
- a response plan that considers governance, decision making, business continuity, contingency planning and a communication strategy.
- simulated threats and incidents, and testing response plans. A response plan is not ‘set and forget’ and needs to be tested. Simulations of cyber threats and trustee responses are an effective way of ensuring that trustees are well-prepared and response plans are fit for purpose.
- clear roles and responsibilities. Regulators identified that it is important to have a clear separation between board and management responsibilities, well in advance of an incident.
- effective communications and support to trustees and members. Trustees must make decisions which are in the best interests of their members and provide members with timely and accurate communications and support.
Alex Crommelin, a senior consultant at 9Yards who has been working closely with clients across the financial sector agrees. He adds a note of caution for organisations upgrading and updating their systems to improve security and become future-ready. “Even the really large organisations that are dedicated to developing their own software products end up being, to some extent, business integrators.”
He warns that there’s no one solution that meets the needs of complex financial businesses like superannuation funds and banks. It can be tempting to work with one provider and go for low-cost, bundled, out-of-the box solutions. He says experience has shown him that bringing digital transformation consultants with deep experience and industry knowledge to your digital transformation project is actually going to save you money and heartache in the medium and long term.
If your superannuation fund is looking to build cyber resilience and become future ready in a world where information security and data protection are paramount, it’s time to talk to the team at 9Yards about how they can help.