A new report commissioned by Gateway Network Governance Body Ltd (GNGB), co-authored by PwC Australia and GNGB, has found that Australia’s superannuation system must urgently continue to build its cyber resilience to secure Australians’ $2.9 trillion in retirement savings.
Conducted in association with PwC, with more than 80 C-level superannuation and cyber experts in Australian superannuation industry, the report identified three key risk areas for the super ecosystem, which comprises almost 1.5 million separate organisations:
- theft of member data that are then used to commit fraud for financial gain
- loss/theft of member data resulting in a privacy breach and associated fines and penalties
- compromised business systems that affect business operations and therefore jeopardise member services.
GNGB Executive Officer Michelle Bower said that while these risks are not unique to super, the complex nature of the ecosystem means they’re of critical importance for rapidly changing superannuation landscape.
“Cyber threats tend to be fairly similar across a range of industry targets, but the sheer number of organisations involved in super, the size and national importance of the super pool means that while there have been no large scale successful attacks to date, if there were one it could have very severe consequences for a huge number of people,” she said. “As an industry-owned governance body who oversees part of the ecosystem, we set out to understand what the biggest risks are across the environment, and how can we best manage those.
“The evidence is clear that the way forward is collaboration. GNGB is calling on all organisations within the ecosystem to work together to strengthen our resilience. This report represents an important step on this journey – the beginning of the conversation that will enable us to make practical changes.”
ASFA CEO Dr Martin Fahy said that the time had come for the super industry to collaborate on cyber initiatives to protect members.
“People often think of the superannuation sector just in terms of the super funds, but the value chain is made up of more than just the funds,” he said. “The critical point to make is that the industry as a whole is only as strong as our weakest link. This report throws into stark relief the importance of working together on cybersecurity and sharing our expertise for the benefit of the whole.”
The report outlines an ideal state for the superannuation industry where all organisations have implemented minimum cybersecurity controls; a system exists to identify and share cyber threats and intelligence in real time; capabilities to prevent and manage risks from member behaviour are built into the ecosystem; and a rehearsed and coordinated approach is in place to respond to cyber incidents.
Peter Malan, Cybersecurity & Digital Trust Partner at PwC Australia, said, “This research has highlighted that Australia's unique and complex superannuation ecosystem is a highly attractive target that is being increasingly exploited by cyber criminals. It is imperative that we come together to improve the cyber resilience of the ecosystem. In this dynamic and fast changing world we’re operating in, the time to act to protect the financial wellbeing of superannuation members is now.”
Craig Cummins, PwC Australia’s Superannuation Leader, said, “Individual industry participants should continue to focus on improving their cyber resilience but that alone will not address the risks identified by the research. The stakes are high and a coordinated approach among industry participants and regulators will be required to improve the system as a whole, and better protect people's retirement savings from cyber threats.”
Before the pandemic, funds were having to do everything they did before, just faster, better and to a much higher standard. The pace has now increased further, bringing existing and new threats to the fore, including a multiplied nature and range of cybersecurity risks.
Though the risks of a cyber attack are not unique to the superannuation industry, with approximately $2.9 trillion in funds under management it is a lucrative target for cybersecurity-related activity. A failure to collectively address this threat as an industry will have far-reaching consequences for the sector, and the Australian nation as a whole. The time to act is now.
GNGB convenes a security committee which has looked at cybersecurity issues since its inception in February 2019. All superannuation industry participants are welcome to contribute to the conversation.
The report was commissioned by Gateway Network Governance Body Ltd (GNGB), co-authored by PwC Australia and GNGB, Securing the future: Protecting Australia’s superannuation ecosystem against cybersecurity threats, specifically aimed at understanding the risks and challenges presented within our ecosystem, and encouraging implementation of a coordinated capability to improve protection and cyber resilience across the industry.